/ 
XML-LibXML-2.0208
/ XML::LibXML::Literal
Security Advisories (1)
CVE-2026-8177 (2026-05-10)

XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap memory when parsing XML node names containing truncated UTF-8 byte sequences. A node name ending in the middle of a multi byte UTF-8 sequence causes the parser to read past the end of the input string into adjacent heap memory. Any Perl process that passes attacker controlled strings to XML::LibXML's DOM node-name methods can reach this path on the default API. The likely consequence is a crash, causing denial of service.

NAME

XML::LibXML::Literal - Simple string values.

DESCRIPTION

In XPath terms a Literal is what we know as a string.

API

new($string)

Create a new Literal object with the value in $string. Note that " and ' will be converted to " and ' respectively. That is not part of the XPath specification, but I consider it useful. Note though that you have to go to extraordinary lengths in an XML template file (be it XSLT or whatever) to make use of this:

<xsl:value-of select="&quot;I'm feeling &amp;quot;sad&amp;quot;&quot;"/>

Which produces a Literal of:

I'm feeling "sad"

value()

Also overloaded as stringification, simply returns the literal string value.

cmp($literal)

Returns the equivalent of perl's cmp operator against the given $literal.