CVE-2026-44665 (HIGH): detected in Lambda Docker Images.

[the-lambda-watchdog]

CVE Details

CVE ID	Severity	Affected Package	Installed Version	Fixed Version	Date Published	Date of Scan
CVE-2026-44665	HIGH	fast-xml-builder	1.1.5	1.1.7	2026-05-13T16:16:59.093Z	2026-05-14T10:18:16.209789768Z

---

Affected Docker Images

Image Name	SHA
public.ecr.aws/lambda/nodejs:latest	public.ecr.aws/lambda/nodejs@sha256:d4eba5f84c0d7cafdc0ce886c15ca01b51829e1a03b4420e4118fb1c39169f47
public.ecr.aws/lambda/nodejs:24	public.ecr.aws/lambda/nodejs@sha256:92dae8302a45e8fd81ee3814c6fb8f4fa8cc8a89dd78dfbefc403a90b07e1fbc
public.ecr.aws/lambda/nodejs:22	public.ecr.aws/lambda/nodejs@sha256:d4eba5f84c0d7cafdc0ce886c15ca01b51829e1a03b4420e4118fb1c39169f47

---

Description

fast-xml-builder builds XML from JSON. Prior to 1.1.7, when an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML. This vulnerability is fixed in 1.1.7.

---

Remediation Steps

• Update the affected package fast-xml-builder from version 1.1.5 to 1.1.7.

About this issue

• This issue may not contain all the information about the CVE nor the images it affects.
• This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
• For more, visit Lambda Watchdog.
• This issue was created automatically by Lambda Watchdog.