Excessive Recursive Traversals in xmldom Module by xmldom
CVE-2026-41673

8.7HIGH

Key Information:

Vendor: Xmldom
Status: Xmldom
Vendor: CVE Published:; 7 May 2026

🔔 Create Xmldom Vulnerability Alert

What is CVE-2026-41673?

The xmldom module, which implements the W3C standard for XML parsing in JavaScript, holds a vulnerability that allows for excessive recursive traversals when handling deeply nested DOM trees. This can lead to a RangeError, causing the application to crash due to an exceeded maximum call stack size. The issue affects several versions, prompting the need for updates to 0.9.10 or 0.8.13 for @xmldom/xmldom and updating xmldom beyond version 0.6.0.

Affected Version(s)

xmldom xmldom <= 0.6.0 <= xmldom 0.6.0

xmldom @xmldom/xmldom >= 0.9.0, < 0.9.10 < @xmldom/xmldom 0.9.0, 0.9.10

xmldom @xmldom/xmldom < 0.8.13 < @xmldom/xmldom 0.8.13

References

https://github.com/xmldom/xmldom/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/xmldom/xmldom/commit/17678a2a73ecbd1a2...

x_refsource_MISC

https://github.com/xmldom/xmldom/commit/291257493cb0eb698...

x_refsource_MISC

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2026
Vulnerability Reserved
Apr 22, 2026

CVE-2026-41673 Data

.