CVE-2026-44664 (MEDIUM): detected in Lambda Docker Images.

[the-lambda-watchdog]

CVE Details

CVE ID	Severity	Affected Package	Installed Version	Fixed Version	Date Published	Date of Scan
CVE-2026-44664	MEDIUM	fast-xml-builder	1.1.5	1.1.6	2026-05-13T16:16:58.937Z	2026-05-14T10:18:16.209789768Z

---

Affected Docker Images

Image Name	SHA
public.ecr.aws/lambda/nodejs:latest	public.ecr.aws/lambda/nodejs@sha256:d4eba5f84c0d7cafdc0ce886c15ca01b51829e1a03b4420e4118fb1c39169f47
public.ecr.aws/lambda/nodejs:24	public.ecr.aws/lambda/nodejs@sha256:92dae8302a45e8fd81ee3814c6fb8f4fa8cc8a89dd78dfbefc403a90b07e1fbc
public.ecr.aws/lambda/nodejs:22	public.ecr.aws/lambda/nodejs@sha256:d4eba5f84c0d7cafdc0ce886c15ca01b51829e1a03b4420e4118fb1c39169f47

---

Description

fast-xml-builder builds XML from JSON. In 1.1.5, the fix for CVE-2026-41650 in fast-xml-parser sanitizes -- sequences in XML comment content using .replace(/--/g, '- -'). This skip the values containing three consecutive dashes (e.g., --->...), allowing an attacker to break out of an XML comment and inject arbitrary XML/HTML content. This vulnerability is fixed in 1.1.6.

---

Remediation Steps

• Update the affected package fast-xml-builder from version 1.1.5 to 1.1.6.

About this issue

• This issue may not contain all the information about the CVE nor the images it affects.
• This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
• For more, visit Lambda Watchdog.
• This issue was created automatically by Lambda Watchdog.