CVE-2026-32287

Publication date 30 March 2026

Last updated 30 March 2026

Ubuntu priority

Description

Boolean XPath expressions that evaluate to true can cause an infinite loop in logicalQuery.Select, leading to 100% CPU usage. This can be triggered by top-level selectors such as "1=1" or "true()".

Status

Show unmaintained releases

Package	Ubuntu Release	Status
golang-github-antchfx-xpath	25.10 questing	Needs evaluation
	24.04 LTS noble	Needs evaluation
	22.04 LTS jammy	Needs evaluation
	20.04 LTS focal	Needs evaluation

How can I get the fixes?
What do statuses mean?

References

MITRE
NVD
Launchpad
Debian

Other references

https://www.cve.org/CVERecord?id=CVE-2026-32287
https://github.com/antchfx/xpath/issues/121
https://github.com/antchfx/xpath/commit/afd4762cc342af56345a3fb4002a59281fcab494
https://github.com/golang/vulndb/issues/4526
https://pkg.go.dev/vuln/GO-2026-4526

CVE-2026-32287

Description

Status

References

Other references

Access our resources on patching vulnerabilities