CVE-2026-45186

LOW
Published May 10, 2026 Modified May 14, 2026 CWE-407

Description

In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via moderately sized crafted XML input.

CVSS v3.1 Score

2.9
LOW
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS — Exploit Prediction

0.0001
Probability of exploitation
0.01%
Percentile rank

EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.

Weakness Type (CWE)

CWE-407 CWE-407

Affected Products

Vendor Product
libexpat_project libexpat

References

Frequently Asked Questions

What is CVE-2026-45186? +
In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via moderately sized crafted XML input. It has a CVSS v3.1 base score of 2.9 (LOW).
How severe is CVE-2026-45186? +
CVE-2026-45186 has a CVSS v3.1 score of 2.9 out of 10, rated LOW. This is a low-severity vulnerability with limited impact. The EPSS score is 0.0001, placing it in the 0th percentile for exploitation probability.
What products are affected by CVE-2026-45186? +
CVE-2026-45186 affects products from libexpat_project, specifically: libexpat. Check the affected products table above for specific version ranges.
How do I check if I'm vulnerable to CVE-2026-45186? +
You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2026-48959

IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward. fastForward() compares length $offset (the …
CVE-2026-44378

Botan is a C++ cryptography library. Prior to 3.12.0, certain patterns of indefinite length encodings in BER data could cause …
CVE-2026-42245

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, Net::IMAP::ResponseReader has …
CVE-2026-43967

Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation. 'Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames':run/2 iterates over …
CVE-2026-40476

graphql-go is a Go implementation of GraphQL. In versions 15.31.4 and below, the OverlappingFieldsCanBeMerged validation rule performs O(n²) pairwise comparisons …
CVE-2025-62727 7.5

Starlette is a lightweight ASGI framework/toolkit. Starting in version 0.39.0 and prior to version 0.49.1 , an unauthenticated attacker can …

Don't wait for an exploit

Scan your website for vulnerabilities like CVE-2026-45186 — free, no signup required.

Start Free Scan