CVE 8.7 HIGH

xmldom: XML injection through unvalidated DocumentType serialization_CVE-2026-41674

May 7, 2026 invoker category_cve
8.7 / 10
HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Description

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package serializes DocumentType node fields (internalSubset, publicId, systemId) verbatim without any escaping or validation. When these fields are set programmatically to attacker-controlled strings, XMLSerializer.serializeToString can produce output where the DOCTYPE declaration is terminated early and arbitrary markup appears outside it. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.

AI Analysis

XML injection through unvalidated DocumentType serialization in xmldom

Basic Information

ID CVE-2026-41674
Source GitHub_M
Published May 7, 2026 at 03:47

Affected Product

Vendor xmldom
Product xmldom
Version xmldom <= 0.6.0
Affected Versions xmldom xmldom xmldom <= 0.6.0
xmldom xmldom @xmldom/xmldom >= 0.9.0, < 0.9.10
xmldom xmldom @xmldom/xmldom < 0.8.13

CWE Classification

CWE-91

AI Assessment

AI Score 8.7 / 10
AI Severity High
Vendor xmldom
Product xmldom
Version 0.6.0 and prior, 0.9.0 to 0.9.9, 0.8.0 to 0.8.12

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.