CVE-2026-32287 PUBLISHED

Infinite loop in github.com/antchfx/xpath

Assigner: Go
Reserved: 11.03.2026 Published: 26.03.2026 Updated: 26.03.2026

Boolean XPath expressions that evaluate to true can cause an infinite loop in logicalQuery.Select, leading to 100% CPU usage. This can be triggered by top-level selectors such as "1=1" or "true()".

Product Status

Vendor	github.com/antchfx/xpath
Product	github.com/antchfx/xpath
Versions	Default: unaffected affected from 0 to 1.3.6 (excl.)

References

https://github.com/antchfx/xpath/issues/121
https://github.com/antchfx/xpath/commit/afd4762cc342af56345a3fb4002a59281fcab494
https://github.com/golang/vulndb/issues/4526
https://pkg.go.dev/vuln/GO-2026-4526

Problem Types

CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')