CVE-2026-32287

HIGH 7.5

Infinite loop in github.com/antchfx/xpath

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

4th

Boolean XPath expressions that evaluate to true can cause an infinite loop in logicalQuery.Select, leading to 100% CPU usage. This can be triggered by top-level selectors such as "1=1" or "true()".

Vendor	github.com/antchfx/xpath
Product	github.com/antchfx/xpath
Published	Mar 26, 2026
Last Updated	Mar 30, 2026

Stay Ahead of the Next One

Get instant alerts for github.com/antchfx/xpath github.com/antchfx/xpath

Be the first to know when new high vulnerabilities affecting github.com/antchfx/xpath github.com/antchfx/xpath are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

github.com/antchfx/xpath / github.com/antchfx/xpath

0 < 1.3.6

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/antchfx/xpath/issues/121 github.com: https://github.com/antchfx/xpath/commit/afd4762cc342af56345a3fb4002a59281fcab494 github.com: https://github.com/golang/vulndb/issues/4526 pkg.go.dev: https://pkg.go.dev/vuln/GO-2026-4526 securityinfinity.com: https://securityinfinity.com/research/infinite-loop-dos-in-antchfx-xpath-logicalquery-select