HIGHCVE-2026-32287Published Modified CNA Go
CVE-2026-32287: Infinite loop in github.com/antchfx/xpath
Boolean XPath expressions that evaluate to true can cause an infinite loop in logicalQuery.Select, leading to 100% CPU usage. This can be triggered by top-level selectors such as "1=1" or "true()".
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- 1.3.6
- Affected Products
- 1
Fix available
1.3.6
Affected packages
- github.com/antchfx/xpath / github.com/antchfx/xpath< 1.3.6 (from 0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences