XML Structure Injection Vulnerability in xmldom Product by xmldom
CVE-2026-34601

7.5HIGH

Key Information:

Vendor

Xmldom

Status
Xmldom
Vendor
CVE Published:
2 April 2026

What is CVE-2026-34601?

The xmldom library, a JavaScript implementation of the W3C XML DOM standard, has a serious vulnerability allowing attacker-controlled strings with CDATA terminators to be inserted into CDATASection nodes. If exploited, this flaw can lead to XML structure injection, where serialized XML outputs may contain active markup instead of plain text, potentially compromising business logic downstream. Developers using versions 0.6.0 and earlier or @xmldom/xmldom versions prior to 0.8.12 and 0.9.9 should upgrade immediately to mitigate these risks.

Affected Version(s)

xmldom xmldom <= 0.6.0 <= xmldom 0.6.0

xmldom @xmldom/xmldom < 0.8.12 < @xmldom/xmldom 0.8.12

xmldom @xmldom/xmldom >= 0.9.0, < 0.9.9 < @xmldom/xmldom 0.9.0, 0.9.9

References

https://github.com/xmldom/xmldom/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/xmldom/xmldom/commit/2b852e836ab86dbbd...
x_refsource_MISC
https://github.com/xmldom/xmldom/releases/tag/0.8.12
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.