{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32287", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2026-03-11T16:38:46.556Z", "datePublished": "2026-03-26T19:40:52.142Z", "dateUpdated": "2026-03-30T14:55:05.920Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-03-26T19:40:52.142Z"}, "title": "Infinite loop in github.com/antchfx/xpath", "descriptions": [{"lang": "en", "value": "Boolean XPath expressions that evaluate to true can cause an infinite loop in logicalQuery.Select, leading to 100% CPU usage. This can be triggered by top-level selectors such as \"1=1\" or \"true()\"."}], "affected": [{"vendor": "github.com/antchfx/xpath", "product": "github.com/antchfx/xpath", "collectionURL": "https://pkg.go.dev", "packageName": "github.com/antchfx/xpath", "versions": [{"version": "0", "lessThan": "1.3.6", "status": "affected", "versionType": "semver"}], "programRoutines": [{"name": "logicalQuery.Select"}, {"name": "Expr.Evaluate"}, {"name": "NodeIterator.MoveNext"}, {"name": "ancestorQuery.Evaluate"}, {"name": "ancestorQuery.Select"}, {"name": "attributeQuery.Evaluate"}, {"name": "attributeQuery.Select"}, {"name": "booleanQuery.Evaluate"}, {"name": "booleanQuery.Select"}, {"name": "cachedChildQuery.Evaluate"}, {"name": "cachedChildQuery.Select"}, {"name": "childQuery.Evaluate"}, {"name": "childQuery.Select"}, {"name": "descendantOverDescendantQuery.Evaluate"}, {"name": "descendantOverDescendantQuery.Select"}, {"name": "descendantQuery.Evaluate"}, {"name": "descendantQuery.Select"}, {"name": "filterQuery.Evaluate"}, {"name": "filterQuery.Select"}, {"name": "followingQuery.Evaluate"}, {"name": "followingQuery.Select"}, {"name": "functionQuery.Evaluate"}, {"name": "groupQuery.Evaluate"}, {"name": "groupQuery.Select"}, {"name": "lastFuncQuery.Evaluate"}, {"name": "logicalQuery.Evaluate"}, {"name": "mergeQuery.Evaluate"}, {"name": "mergeQuery.Select"}, {"name": "numericQuery.Evaluate"}, {"name": "parentQuery.Evaluate"}, {"name": "parentQuery.Select"}, {"name": "precedingQuery.Evaluate"}, {"name": "precedingQuery.Select"}, {"name": "selfQuery.Evaluate"}, {"name": "selfQuery.Select"}, {"name": "transformFunctionQuery.Evaluate"}, {"name": "transformFunctionQuery.Select"}, {"name": "unionQuery.Evaluate"}, {"name": "unionQuery.Select"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')"}]}], "references": [{"url": "https://github.com/antchfx/xpath/issues/121"}, {"url": "https://github.com/antchfx/xpath/commit/afd4762cc342af56345a3fb4002a59281fcab494"}, {"url": "https://github.com/golang/vulndb/issues/4526"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4526"}]}, "adp": [{"references": [{"url": "https://securityinfinity.com/research/infinite-loop-dos-in-antchfx-xpath-logicalquery-select", "tags": ["exploit"]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T14:12:30.141178Z", "id": "CVE-2026-32287", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T14:55:05.920Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32287", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T14:12:30.141178Z"}}}], "references": [{"url": "https://securityinfinity.com/research/infinite-loop-dos-in-antchfx-xpath-logicalquery-select", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T14:12:56.371Z"}}], "cna": {"title": "Infinite loop in github.com/antchfx/xpath", "affected": [{"vendor": "github.com/antchfx/xpath", "product": "github.com/antchfx/xpath", "versions": [{"status": "affected", "version": "0", "lessThan": "1.3.6", "versionType": "semver"}], "packageName": "github.com/antchfx/xpath", "collectionURL": "https://pkg.go.dev", "defaultStatus": "unaffected", "programRoutines": [{"name": "logicalQuery.Select"}, {"name": "Expr.Evaluate"}, {"name": "NodeIterator.MoveNext"}, {"name": "ancestorQuery.Evaluate"}, {"name": "ancestorQuery.Select"}, {"name": "attributeQuery.Evaluate"}, {"name": "attributeQuery.Select"}, {"name": "booleanQuery.Evaluate"}, {"name": "booleanQuery.Select"}, {"name": "cachedChildQuery.Evaluate"}, {"name": "cachedChildQuery.Select"}, {"name": "childQuery.Evaluate"}, {"name": "childQuery.Select"}, {"name": "descendantOverDescendantQuery.Evaluate"}, {"name": "descendantOverDescendantQuery.Select"}, {"name": "descendantQuery.Evaluate"}, {"name": "descendantQuery.Select"}, {"name": "filterQuery.Evaluate"}, {"name": "filterQuery.Select"}, {"name": "followingQuery.Evaluate"}, {"name": "followingQuery.Select"}, {"name": "functionQuery.Evaluate"}, {"name": "groupQuery.Evaluate"}, {"name": "groupQuery.Select"}, {"name": "lastFuncQuery.Evaluate"}, {"name": "logicalQuery.Evaluate"}, {"name": "mergeQuery.Evaluate"}, {"name": "mergeQuery.Select"}, {"name": "numericQuery.Evaluate"}, {"name": "parentQuery.Evaluate"}, {"name": "parentQuery.Select"}, {"name": "precedingQuery.Evaluate"}, {"name": "precedingQuery.Select"}, {"name": "selfQuery.Evaluate"}, {"name": "selfQuery.Select"}, {"name": "transformFunctionQuery.Evaluate"}, {"name": "transformFunctionQuery.Select"}, {"name": "unionQuery.Evaluate"}, {"name": "unionQuery.Select"}]}], "references": [{"url": "https://github.com/antchfx/xpath/issues/121"}, {"url": "https://github.com/antchfx/xpath/commit/afd4762cc342af56345a3fb4002a59281fcab494"}, {"url": "https://github.com/golang/vulndb/issues/4526"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4526"}], "descriptions": [{"lang": "en", "value": "Boolean XPath expressions that evaluate to true can cause an infinite loop in logicalQuery.Select, leading to 100% CPU usage. This can be triggered by top-level selectors such as \"1=1\" or \"true()\"."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')"}]}], "providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-03-26T19:40:52.142Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32287", "state": "PUBLISHED", "dateUpdated": "2026-03-30T14:55:05.920Z", "dateReserved": "2026-03-11T16:38:46.556Z", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "datePublished": "2026-03-26T19:40:52.142Z", "assignerShortName": "Go"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:antchfx:xpath:*:*:*:*:*:go:*:*", "matchCriteriaId": "9456C4F2-D4AD-4F6D-9520-00E6C5C4AB18", "versionEndExcluding": "1.3.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Boolean XPath expressions that evaluate to true can cause an infinite loop in logicalQuery.Select, leading to 100% CPU usage. This can be triggered by top-level selectors such as \"1=1\" or \"true()\"."}, {"lang": "es", "value": "Expresiones booleanas de XPath que se eval\u00faan como verdaderas pueden causar un bucle infinito en logicalQuery.Select, lo que lleva a un uso del 100% de la CPU. Esto puede ser activado por selectores de nivel superior como 1=1 o true()."}], "id": "CVE-2026-32287", "lastModified": "2026-04-21T15:33:09.517", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-26T20:16:12.403", "references": [{"source": "security@golang.org", "tags": ["Patch"], "url": "https://github.com/antchfx/xpath/commit/afd4762cc342af56345a3fb4002a59281fcab494"}, {"source": "security@golang.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/antchfx/xpath/issues/121"}, {"source": "security@golang.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/golang/vulndb/issues/4526"}, {"source": "security@golang.org", "tags": ["Third Party Advisory"], "url": "https://pkg.go.dev/vuln/GO-2026-4526"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"], "url": "https://securityinfinity.com/research/infinite-loop-dos-in-antchfx-xpath-logicalquery-select"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-835"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "github.com/antchfx/xpath: github.com/antchfx/xpath: Denial of Service due to infinite loop via boolean XPath expressions", "id": "2451856", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451856"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.2", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-606", "details": ["Boolean XPath expressions that evaluate to true can cause an infinite loop in logicalQuery.Select, leading to 100% CPU usage. This can be triggered by top-level selectors such as \"1=1\" or \"true()\".", "A flaw was found in github.com/antchfx/xpath. An attacker could exploit this vulnerability by providing specially crafted boolean XPath expressions that evaluate to true. This can cause an infinite loop within the logicalQuery.Select function, leading to 100% CPU utilization. The consequence is a Denial of Service (DoS) condition, making the affected system unresponsive."], "name": "CVE-2026-32287", "package_state": [{"cpe": "cpe:/a:redhat:openshift_compliance_operator:1", "fix_state": "Fix deferred", "package_name": "compliance/openshift-compliance-operator-bundle", "product_name": "Compliance Operator"}, {"cpe": "cpe:/a:redhat:openshift_compliance_operator:1", "fix_state": "Fix deferred", "package_name": "compliance/openshift-compliance-rhel8-operator", "product_name": "Compliance Operator"}, {"cpe": "cpe:/a:redhat:openshift_file_integrity_operator:1", "fix_state": "Fix deferred", "package_name": "compliance/openshift-compliance-must-gather-rhel8", "product_name": "File Integrity Operator"}, {"cpe": "cpe:/a:redhat:openshift_file_integrity_operator:1", "fix_state": "Fix deferred", "package_name": "compliance/openshift-compliance-openscap-rhel8", "product_name": "File Integrity Operator"}, {"cpe": "cpe:/a:redhat:openshift_file_integrity_operator:1", "fix_state": "Fix deferred", "package_name": "compliance/openshift-compliance-operator-bundle", "product_name": "File Integrity Operator"}, {"cpe": "cpe:/a:redhat:openshift_file_integrity_operator:1", "fix_state": "Fix deferred", "package_name": "compliance/openshift-compliance-rhel8-operator", "product_name": "File Integrity Operator"}, {"cpe": "cpe:/a:redhat:migration_toolkit_applications:8", "fix_state": "Fix deferred", "package_name": "mta/mta-cli-rhel9", "product_name": "Migration Toolkit for Applications 8"}, {"cpe": "cpe:/a:redhat:migration_toolkit_applications:8", "fix_state": "Fix deferred", "package_name": "mta/mta-dotnet-external-provider-rhel8", "product_name": "Migration Toolkit for Applications 8"}, {"cpe": "cpe:/a:redhat:migration_toolkit_applications:8", "fix_state": "Fix deferred", "package_name": "mta/mta-dotnet-external-provider-rhel9", "product_name": "Migration Toolkit for Applications 8"}, {"cpe": "cpe:/a:redhat:migration_toolkit_applications:8", "fix_state": "Fix deferred", "package_name": "mta/mta-generic-external-provider-rhel9", "product_name": "Migration Toolkit for Applications 8"}, {"cpe": "cpe:/a:redhat:migration_toolkit_applications:8", "fix_state": "Fix deferred", "package_name": "mta/mta-java-external-provider-rhel9", "product_name": "Migration Toolkit for Applications 8"}, {"cpe": "cpe:/a:redhat:migration_toolkit_applications:8", "fix_state": "Fix deferred", "package_name": "mta/mta-solution-server-rhel9", "product_name": "Migration Toolkit for Applications 8"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Fix deferred", "package_name": "rhacm2/acm-grafana-rhel9", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "opentelemetry-collector", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "opentelemetry-collector", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "compliance/openshift-compliance-must-gather-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "compliance/openshift-compliance-openscap-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "compliance/openshift-compliance-rhel8-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Fix deferred", "package_name": "rhosdt/opentelemetry-collector-rhel9", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Fix deferred", "package_name": "rhosdt/tempo-jaeger-query-rhel9", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Fix deferred", "package_name": "rhosdt/tempo-query-rhel9", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Fix deferred", "package_name": "rhosdt/tempo-rhel9", "product_name": "Red Hat OpenShift distributed tracing 3"}], "public_date": "2026-03-26T19:40:52Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-32287\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-32287\nhttps://github.com/antchfx/xpath/commit/afd4762cc342af56345a3fb4002a59281fcab494\nhttps://github.com/antchfx/xpath/issues/121\nhttps://github.com/golang/vulndb/issues/4526\nhttps://pkg.go.dev/vuln/GO-2026-4526"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.3.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "github.com/antchfx/xpath", "source": "cna", "vendor": "github.com/antchfx/xpath"}, "product": "xpath", "vendor": "antchfx"}], "analysis": {"en": {"generated_at": "2026-04-22T03:37:49.599894+00:00", "value": {"mitigation_remediation": ["Update the antchfx/xpath dependency to a version that includes the fix commit afd4762cc342af56345a3fb4002a59281fcab494.", "If the library is used to parse user input, validate or sanitize the XPath expressions to reject boolean conditions such as \"1=1\" or \"true()\" before invoking logicalQuery.Select.", "Review the logicalQuery.Select implementation to confirm proper exit conditions and eliminate potential infinite loops, addressing CWE\u2011835.", "Consider configuring application resource limits or CPU quotas to mitigate the impact of potential infinite loops.", "Continuously monitor application CPU usage and set alerts for abnormal spikes that could indicate a DoS attempt."], "summary": {"action": "Apply Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability resides in the antchfx/xpath Go library. All projects that incorporate versions of this library before the patch commit afd4762cc342af56345a3fb4002a59281fcab494 are affected. No specific version range is documented, but any deployment using the library prior to this commit should be considered vulnerable and requires updating.", "description_and_impact": "Boolean XPath expressions that evaluate to true can create an infinite loop in logicalQuery.Select, causing the process to consume 100% CPU. The result is a denial\u2011of\u2011service condition for the application or system that hosts the library. The weakness is identified as unreliable input validation (CWE\u2011606) and infinite loop (CWE\u2011835).", "risk_and_exploitability": "The CVSS score is 7.5, indicating a medium\u2011to\u2011high severity. The EPSS score is below 1%, implying a low probability of real\u2011world exploitation at present. It is not listed in CISA\u2019s KEV catalog. Likely attack vectors involve supplying a boolean XPath expression, such as \"1=1\" or \"true()\", through any user\u2011controllable input that reaches logicalQuery.Select. If the application processes untrusted requests with this library, an attacker could trigger the loop and exhaust CPU resources, leading to service disruption."}}}}, "created": "2026-03-27T08:32:23.719221+00:00", "updated": "2026-04-22T03:45:06.975230+00:00", "vendors": ["antchfx", "antchfx$PRODUCT$xpath"]}