JavaScript XML DOM Library Vulnerability in xmldom by xmldom
CVE-2026-41674

8.7HIGH

Key Information:

Vendor

Xmldom

Status
Xmldom
Vendor
CVE Published:
7 May 2026

What is CVE-2026-41674?

The xmldom library in JavaScript, specifically versions before 0.9.10 and 0.8.13 of @xmldom/xmldom, as well as version 0.6.0 of xmldom, contains a vulnerability that allows the serialization of DocumentType node fields without proper validation. When these fields are manipulated with attacker-controlled input, it can lead to malicious output where the DOCTYPE declaration is prematurely terminated, potentially allowing arbitrary markup to be inserted unexpectedly. This flaw poses a significant risk and has been mitigated in the later releases.

Affected Version(s)

xmldom xmldom <= 0.6.0 <= xmldom 0.6.0

xmldom @xmldom/xmldom >= 0.9.0, < 0.9.10 < @xmldom/xmldom 0.9.0, 0.9.10

xmldom @xmldom/xmldom < 0.8.13 < @xmldom/xmldom 0.8.13

References

https://github.com/xmldom/xmldom/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/xmldom/xmldom/commit/372008f9ae0e20fd6...
x_refsource_MISC
https://github.com/xmldom/xmldom/releases/tag/0.8.13
x_refsource_MISC

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.