HIGH SeverityCVSS 4.08.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

CVE-2026-41674

Last updated May 07, 2026 · Published May 07, 2026

Description

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package serializes DocumentType node fields (internalSubset, publicId, systemId) verbatim without any escaping or validation. When these fields are set programmatically to attacker-controlled strings, XMLSerializer.serializeToString can produce output where the DOCTYPE declaration is terminated early and arbitrary markup appears outside it. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.

Affected products

1 listed

xmldom:xmldom

Mappings

CWE

CWE-91

CAPEC

None listed.

Training

Injection TodaySQL, NoSQL, ORM, and LLM injection - what's changed and what hasn't.
Input Validation and Schema EnforcementValidate early, validate strictly - schemas, allowlists, and type-safe boundaries.

CVE-2026-41674

Description

Affected products

Mappings

Related