{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32287", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2026-03-11T16:38:46.556Z", "datePublished": "2026-03-26T19:40:52.142Z", "dateUpdated": "2026-03-30T14:55:05.920Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-03-26T19:40:52.142Z"}, "title": "Infinite loop in github.com/antchfx/xpath", "descriptions": [{"lang": "en", "value": "Boolean XPath expressions that evaluate to true can cause an infinite loop in logicalQuery.Select, leading to 100% CPU usage. This can be triggered by top-level selectors such as \"1=1\" or \"true()\"."}], "affected": [{"vendor": "github.com/antchfx/xpath", "product": "github.com/antchfx/xpath", "collectionURL": "https://pkg.go.dev", "packageName": "github.com/antchfx/xpath", "versions": [{"version": "0", "lessThan": "1.3.6", "status": "affected", "versionType": "semver"}], "programRoutines": [{"name": "logicalQuery.Select"}, {"name": "Expr.Evaluate"}, {"name": "NodeIterator.MoveNext"}, {"name": "ancestorQuery.Evaluate"}, {"name": "ancestorQuery.Select"}, {"name": "attributeQuery.Evaluate"}, {"name": "attributeQuery.Select"}, {"name": "booleanQuery.Evaluate"}, {"name": "booleanQuery.Select"}, {"name": "cachedChildQuery.Evaluate"}, {"name": "cachedChildQuery.Select"}, {"name": "childQuery.Evaluate"}, {"name": "childQuery.Select"}, {"name": "descendantOverDescendantQuery.Evaluate"}, {"name": "descendantOverDescendantQuery.Select"}, {"name": "descendantQuery.Evaluate"}, {"name": "descendantQuery.Select"}, {"name": "filterQuery.Evaluate"}, {"name": "filterQuery.Select"}, {"name": "followingQuery.Evaluate"}, {"name": "followingQuery.Select"}, {"name": "functionQuery.Evaluate"}, {"name": "groupQuery.Evaluate"}, {"name": "groupQuery.Select"}, {"name": "lastFuncQuery.Evaluate"}, {"name": "logicalQuery.Evaluate"}, {"name": "mergeQuery.Evaluate"}, {"name": "mergeQuery.Select"}, {"name": "numericQuery.Evaluate"}, {"name": "parentQuery.Evaluate"}, {"name": "parentQuery.Select"}, {"name": "precedingQuery.Evaluate"}, {"name": "precedingQuery.Select"}, {"name": "selfQuery.Evaluate"}, {"name": "selfQuery.Select"}, {"name": "transformFunctionQuery.Evaluate"}, {"name": "transformFunctionQuery.Select"}, {"name": "unionQuery.Evaluate"}, {"name": "unionQuery.Select"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')"}]}], "references": [{"url": "https://github.com/antchfx/xpath/issues/121"}, {"url": "https://github.com/antchfx/xpath/commit/afd4762cc342af56345a3fb4002a59281fcab494"}, {"url": "https://github.com/golang/vulndb/issues/4526"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4526"}]}, "adp": [{"references": [{"url": "https://securityinfinity.com/research/infinite-loop-dos-in-antchfx-xpath-logicalquery-select", "tags": ["exploit"]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T14:12:30.141178Z", "id": "CVE-2026-32287", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T14:55:05.920Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32287", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T14:12:30.141178Z"}}}], "references": [{"url": "https://securityinfinity.com/research/infinite-loop-dos-in-antchfx-xpath-logicalquery-select", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T14:12:56.371Z"}}], "cna": {"title": "Infinite loop in github.com/antchfx/xpath", "affected": [{"vendor": "github.com/antchfx/xpath", "product": "github.com/antchfx/xpath", "versions": [{"status": "affected", "version": "0", "lessThan": "1.3.6", "versionType": "semver"}], "packageName": "github.com/antchfx/xpath", "collectionURL": "https://pkg.go.dev", "defaultStatus": "unaffected", "programRoutines": [{"name": "logicalQuery.Select"}, {"name": "Expr.Evaluate"}, {"name": "NodeIterator.MoveNext"}, {"name": "ancestorQuery.Evaluate"}, {"name": "ancestorQuery.Select"}, {"name": "attributeQuery.Evaluate"}, {"name": "attributeQuery.Select"}, {"name": "booleanQuery.Evaluate"}, {"name": "booleanQuery.Select"}, {"name": "cachedChildQuery.Evaluate"}, {"name": "cachedChildQuery.Select"}, {"name": "childQuery.Evaluate"}, {"name": "childQuery.Select"}, {"name": "descendantOverDescendantQuery.Evaluate"}, {"name": "descendantOverDescendantQuery.Select"}, {"name": "descendantQuery.Evaluate"}, {"name": "descendantQuery.Select"}, {"name": "filterQuery.Evaluate"}, {"name": "filterQuery.Select"}, {"name": "followingQuery.Evaluate"}, {"name": "followingQuery.Select"}, {"name": "functionQuery.Evaluate"}, {"name": "groupQuery.Evaluate"}, {"name": "groupQuery.Select"}, {"name": "lastFuncQuery.Evaluate"}, {"name": "logicalQuery.Evaluate"}, {"name": "mergeQuery.Evaluate"}, {"name": "mergeQuery.Select"}, {"name": "numericQuery.Evaluate"}, {"name": "parentQuery.Evaluate"}, {"name": "parentQuery.Select"}, {"name": "precedingQuery.Evaluate"}, {"name": "precedingQuery.Select"}, {"name": "selfQuery.Evaluate"}, {"name": "selfQuery.Select"}, {"name": "transformFunctionQuery.Evaluate"}, {"name": "transformFunctionQuery.Select"}, {"name": "unionQuery.Evaluate"}, {"name": "unionQuery.Select"}]}], "references": [{"url": "https://github.com/antchfx/xpath/issues/121"}, {"url": "https://github.com/antchfx/xpath/commit/afd4762cc342af56345a3fb4002a59281fcab494"}, {"url": "https://github.com/golang/vulndb/issues/4526"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4526"}], "descriptions": [{"lang": "en", "value": "Boolean XPath expressions that evaluate to true can cause an infinite loop in logicalQuery.Select, leading to 100% CPU usage. This can be triggered by top-level selectors such as \"1=1\" or \"true()\"."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')"}]}], "providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-03-26T19:40:52.142Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32287", "state": "PUBLISHED", "dateUpdated": "2026-03-30T14:55:05.920Z", "dateReserved": "2026-03-11T16:38:46.556Z", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "datePublished": "2026-03-26T19:40:52.142Z", "assignerShortName": "Go"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Boolean XPath expressions that evaluate to true can cause an infinite loop in logicalQuery.Select, leading to 100% CPU usage. This can be triggered by top-level selectors such as \"1=1\" or \"true()\"."}, {"lang": "es", "value": "Expresiones booleanas de XPath que se eval\u00faan como verdaderas pueden causar un bucle infinito en logicalQuery.Select, lo que lleva a un uso del 100% de la CPU. Esto puede ser activado por selectores de nivel superior como 1=1 o true()."}], "id": "CVE-2026-32287", "lastModified": "2026-03-30T15:16:28.290", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-26T20:16:12.403", "references": [{"source": "security@golang.org", "url": "https://github.com/antchfx/xpath/commit/afd4762cc342af56345a3fb4002a59281fcab494"}, {"source": "security@golang.org", "url": "https://github.com/antchfx/xpath/issues/121"}, {"source": "security@golang.org", "url": "https://github.com/golang/vulndb/issues/4526"}, {"source": "security@golang.org", "url": "https://pkg.go.dev/vuln/GO-2026-4526"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://securityinfinity.com/research/infinite-loop-dos-in-antchfx-xpath-logicalquery-select"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "github.com/antchfx/xpath: github.com/antchfx/xpath: Denial of Service due to infinite loop via boolean XPath expressions", "id": "2451856", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451856"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.2", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-606", "details": ["Boolean XPath expressions that evaluate to true can cause an infinite loop in logicalQuery.Select, leading to 100% CPU usage. This can be triggered by top-level selectors such as \"1=1\" or \"true()\".", "A flaw was found in github.com/antchfx/xpath. An attacker could exploit this vulnerability by providing specially crafted boolean XPath expressions that evaluate to true. This can cause an infinite loop within the logicalQuery.Select function, leading to 100% CPU utilization. The consequence is a Denial of Service (DoS) condition, making the affected system unresponsive."], "name": "CVE-2026-32287", "package_state": [{"cpe": "cpe:/a:redhat:openshift_compliance_operator:1", "fix_state": "Fix deferred", "package_name": "compliance/openshift-compliance-operator-bundle", "product_name": "Compliance Operator"}, {"cpe": "cpe:/a:redhat:openshift_compliance_operator:1", "fix_state": "Fix deferred", "package_name": "compliance/openshift-compliance-rhel8-operator", "product_name": "Compliance Operator"}, {"cpe": "cpe:/a:redhat:openshift_file_integrity_operator:1", "fix_state": "Fix deferred", "package_name": "compliance/openshift-compliance-must-gather-rhel8", "product_name": "File Integrity Operator"}, {"cpe": "cpe:/a:redhat:openshift_file_integrity_operator:1", "fix_state": "Fix deferred", "package_name": "compliance/openshift-compliance-openscap-rhel8", "product_name": "File Integrity Operator"}, {"cpe": "cpe:/a:redhat:openshift_file_integrity_operator:1", "fix_state": "Fix deferred", "package_name": "compliance/openshift-compliance-operator-bundle", "product_name": "File Integrity Operator"}, {"cpe": "cpe:/a:redhat:openshift_file_integrity_operator:1", "fix_state": "Fix deferred", "package_name": "compliance/openshift-compliance-rhel8-operator", "product_name": "File Integrity Operator"}, {"cpe": "cpe:/a:redhat:migration_toolkit_applications:8", "fix_state": "Fix deferred", "package_name": "mta/mta-cli-rhel9", "product_name": "Migration Toolkit for Applications 8"}, {"cpe": "cpe:/a:redhat:migration_toolkit_applications:8", "fix_state": "Fix deferred", "package_name": "mta/mta-dotnet-external-provider-rhel8", "product_name": "Migration Toolkit for Applications 8"}, {"cpe": "cpe:/a:redhat:migration_toolkit_applications:8", "fix_state": "Fix deferred", "package_name": "mta/mta-dotnet-external-provider-rhel9", "product_name": "Migration Toolkit for Applications 8"}, {"cpe": "cpe:/a:redhat:migration_toolkit_applications:8", "fix_state": "Fix deferred", "package_name": "mta/mta-generic-external-provider-rhel9", "product_name": "Migration Toolkit for Applications 8"}, {"cpe": "cpe:/a:redhat:migration_toolkit_applications:8", "fix_state": "Fix deferred", "package_name": "mta/mta-java-external-provider-rhel9", "product_name": "Migration Toolkit for Applications 8"}, {"cpe": "cpe:/a:redhat:migration_toolkit_applications:8", "fix_state": "Fix deferred", "package_name": "mta/mta-solution-server-rhel9", "product_name": "Migration Toolkit for Applications 8"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Fix deferred", "package_name": "rhacm2/acm-grafana-rhel9", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "opentelemetry-collector", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "opentelemetry-collector", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "compliance/openshift-compliance-must-gather-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "compliance/openshift-compliance-openscap-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "compliance/openshift-compliance-rhel8-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Fix deferred", "package_name": "rhosdt/opentelemetry-collector-rhel9", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Fix deferred", "package_name": "rhosdt/tempo-jaeger-query-rhel9", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Fix deferred", "package_name": "rhosdt/tempo-query-rhel9", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Fix deferred", "package_name": "rhosdt/tempo-rhel9", "product_name": "Red Hat OpenShift distributed tracing 3"}], "public_date": "2026-03-26T19:40:52Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-32287\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-32287\nhttps://github.com/antchfx/xpath/commit/afd4762cc342af56345a3fb4002a59281fcab494\nhttps://github.com/antchfx/xpath/issues/121\nhttps://github.com/golang/vulndb/issues/4526\nhttps://pkg.go.dev/vuln/GO-2026-4526"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.3.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "github.com/antchfx/xpath", "source": "cna", "vendor": "github.com/antchfx/xpath"}, "product": "xpath", "vendor": "antchfx"}], "analysis": {"en": {"generated_at": "2026-03-27T22:07:30.978803+00:00", "value": {"mitigation_remediation": ["Update the antchfx/xpath library to the patched revision identified in the advisory commit. ", "Validate or sanitize XPath queries before evaluation to reject or transform boolean expressions that could cause an infinite loop. ", "Implement application-level monitoring or rate limiting for CPU usage to detect and mitigate sudden spikes that may indicate exploitation."], "summary": {"action": "Patch", "impact": "Denial of Service via CPU exhaustion"}, "threat_synthesis": {"affected_systems": "The antchfx/xpath Go library is affected. Any Go application that imports this package and processes untrusted XPath expressions is at risk. No particular version range is specified in the advisory, so all released versions are potentially vulnerable until the fix from the referenced commit is applied.", "description_and_impact": "Boolean XPath expressions that evaluate to true, such as \"1=1\" or \"true()\", trigger an infinite loop in the logicalQuery.Select function of the antchfx/xpath Go library. The loop consumes all CPU resources, leading to a denial of service for the process that evaluates the expression. This flaw does not enable code execution but can degrade the availability of the application by exhausting CPU cycles.", "risk_and_exploitability": "The likelihood of exploitation is low, as the EPSS probability is below 1%. The vulnerability is not listed in the CISA KEV catalog. An attacker could deliver a crafted XPath query containing a boolean expression through user input or external data, triggering the infinite loop and causing 100% CPU usage. In environments where service availability is critical, the impact may be significant, but the attack requires only application-level access to provide the query."}}}}, "created": "2026-03-27T08:32:23.719221+00:00", "updated": "2026-03-29T20:27:50.908178+00:00", "vendors": ["antchfx", "antchfx$PRODUCT$xpath"], "weaknesses": ["CWE-770"]}