XML DOM Parser Vulnerability in xmldom by xmldom
CVE-2026-41672

8.7HIGH

Key Information:

Vendor

Xmldom

Status
Xmldom
Vendor
CVE Published:
7 May 2026

What is CVE-2026-41672?

The xmldom package, a widely used XML DOM implementation in JavaScript, has a vulnerability that permits attackers to exploit comment content during XML serialization. Prior to specific versions, the library failed to adequately validate or neutralize sequences that could disrupt comment structure, enabling the injection of arbitrary XML nodes. This could allow an attacker to manipulate the serialized output, leading to potentially unauthorized data access or configuration changes. Users are advised to upgrade to versions 0.9.10 or 0.8.13 of @xmldom/xmldom, or version 0.6.0 of xmldom to mitigate this risk.

Affected Version(s)

xmldom xmldom <= 0.6.0 <= xmldom 0.6.0

xmldom @xmldom/xmldom >= 0.9.0, < 0.9.10 < @xmldom/xmldom 0.9.0, 0.9.10

xmldom @xmldom/xmldom < 0.8.13 < @xmldom/xmldom 0.8.13

References

https://github.com/xmldom/xmldom/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/xmldom/xmldom/pull/987
x_refsource_MISC
https://github.com/xmldom/xmldom/commit/b397540889086da86...
x_refsource_MISC

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.