CVE-2026-32287

HIGH

Infinite loop in github.com/antchfx/xpath

Title source: cna

Description

Boolean XPath expressions that evaluate to true can cause an infinite loop in logicalQuery.Select, leading to 100% CPU usage. This can be triggered by top-level selectors such as "1=1" or "true()".

References (5)

https://github.com/antchfx/xpath/issues/121

https://github.com/antchfx/xpath/commit/afd4762cc342af56345a3fb4002a59281fcab494

View Patch ZIP pw:eip

https://github.com/golang/vulndb/issues/4526

https://pkg.go.dev/vuln/GO-2026-4526

[Various Sources] https://securityinfinity.com/research/infinite-loop-dos-in-antchfx-xpath-logicalquery-select

Scores

CVSS v3 7.5

EPSS 0.0006

EPSS Percentile 19.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-835

Status published

Products (3)

antchfx/xpath < 1.3.6

antchfx/xpath 0 - 1.3.6Go

github.com/antchfx/xpath/github.com/antchfx/xpath < 1.3.6

Published Mar 26, 2026

Tracked Since Mar 27, 2026