Current behavior
Trivy and Docker Scout report the critical severity vulnerability CVE-2026-25896 (GHSA-m7jm-9gc2-mpf2) in cypress/included:15.11.0 (current latest) regarding fast-xml-parser@4.5.3.
Desired behavior
There should be no critical severity vulnerabilities reported in cypress/included:latest
Test code to reproduce
trivy image --ignore-unfixed --pkg-types library --scanners vuln --severity CRITICAL cypress/included:15.11.0
Cypress Version
15.11.0
Debug Logs
root/.cache/Cypress/15.11.0/Cypress/resources/app/node_modules/fast-xml-parser/package.json
Node.js (node-pkg)
Total: 2 (CRITICAL: 2)
┌────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ basic-ftp (package.json) │ CVE-2026-27699 │ CRITICAL │ fixed │ 5.0.3 │ 5.2.0 │ basic-ftp: basic-ftp: File overwrite due to path traversal │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-27699 │
├────────────────────────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ fast-xml-parser (package.json) │ CVE-2026-25896 │ │ │ 4.5.3 │ 5.3.5, 4.5.4 │ fast-xml-parser: fast-xml-parser: Cross-Site Scripting (XSS) │
│ │ │ │ │ │ │ due to improper DOCTYPE entity handling │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-25896 │
└────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
Other
Cypress is currently configured with fast-xml-parser@^4.5.3, locked to fast-xml-parser@4.5.3 and this is fixable by updating to fast-xml-parser@4.5.4
Current behavior
Trivy and Docker Scout report the critical severity vulnerability CVE-2026-25896 (GHSA-m7jm-9gc2-mpf2) in
cypress/included:15.11.0(currentlatest) regardingfast-xml-parser@4.5.3.Desired behavior
There should be no critical severity vulnerabilities reported in
cypress/included:latestTest code to reproduce
Cypress Version
15.11.0Debug Logs
Other
Cypress is currently configured with
fast-xml-parser@^4.5.3, locked tofast-xml-parser@4.5.3and this is fixable by updating tofast-xml-parser@4.5.4