XML DOM Processing Instruction Vulnerability in xmldom Module
CVE-2026-41675

8.7HIGH

Key Information:

Vendor: Xmldom
Status: Xmldom
Vendor: CVE Published:; 7 May 2026

🔔 Create Xmldom Vulnerability Alert

What is CVE-2026-41675?

The xmldom module, which implements the W3C standard for XML DOM, contains a vulnerability that permits the serialization of attacker-controlled processing instruction data. This flaw can allow an attacker to manipulate the XML output by prematurely terminating processing instructions, potentially leading to the injection of arbitrary XML nodes. Affected users should upgrade to versions @xmldom/xmldom 0.9.10, 0.8.13 or xmldom 0.6.0 and above to mitigate this risk.

Affected Version(s)

xmldom xmldom <= 0.6.0 <= xmldom 0.6.0

xmldom @xmldom/xmldom >= 0.9.0, < 0.9.10 < @xmldom/xmldom 0.9.0, 0.9.10

xmldom @xmldom/xmldom < 0.8.13 < @xmldom/xmldom 0.8.13

References

https://github.com/xmldom/xmldom/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/xmldom/xmldom/commit/7207a4b0e0bcc2288...

x_refsource_MISC

https://github.com/xmldom/xmldom/releases/tag/0.8.13

x_refsource_MISC

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2026
Vulnerability Reserved
Apr 22, 2026

CVE-2026-41675 Data

.