← back
CVE-2026-41672

xmldom: XML node injection through unvalidated comment serialization

CVSS 8.7 HIGHEPSS 0.3%CWE-91
In short

The xmldom library fails to properly escape special characters in XML comments, allowing attackers to break out of comments and inject malicious XML code into the output. This can lead to data corruption or security vulnerabilities in applications that process untrusted XML data.

Technical detail

XML comment serialization in xmldom prior to versions 0.9.10 and 0.8.13 does not validate or neutralize comment-terminating sequences (CWE-91: XML injection), allowing an attacker who controls comment content to prematurely close the comment and inject arbitrary XML nodes into the serialized output. The vulnerability requires attacker input to be included in XML comments processed by the library's XMLSerializer.

Summary generated and translated by AI from the official description.
xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled comment content to be serialized into XML without validating or neutralizing comment-breaking sequences. As a result, an attacker can terminate the comment early and inject arbitrary XML nodes into the serialized output. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Affected products
xmldom · xmldom

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/xmldom/xmldom/commit/b397540889086da868c30c366ad5c220d1a750c7https://github.com/xmldom/xmldom/commit/fda7cc313de30243fea35cada64e0bb12099c2a1https://github.com/xmldom/xmldom/pull/987https://github.com/xmldom/xmldom/releases/tag/0.8.13https://github.com/xmldom/xmldom/releases/tag/0.9.10https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8