Description
xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In xmldom versions 0.6.0 and prior and @xmldom/xmldom prior to versions 0.8.12 and 0.9.9, xmldom/xmldom allows attacker-controlled strings containing the CDATA terminator ]]> to be inserted into a CDATASection node. During serialization, XMLSerializer emitted the CDATA content verbatim without rejecting or safely splitting the terminator. As a result, data intended to remain text-only became active XML markup in the serialized output, enabling XML structure injection and downstream business-logic manipulation. This issue has been patched in xmldom version 0.6.0 and @xmldom/xmldom versions 0.8.12 and 0.9.9.
Published: 2026-04-02
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: XML Injection
Action: Immediate Patch
AI Analysis

Impact

xmldom, a pure JavaScript implementation of the W3C XML DOM Level 2 Core, contains a flaw in its CDATASection handling. The XMLSerializer fails to escape or split an attacker‑controlled `]]>` terminator inserted into a CDATA section, writing the terminator verbatim and turning the intended text into active XML markup. This permits arbitrary XML structure injection, allowing an attacker to manipulate the serialized document and potentially alter application logic or data transported in the XML.

Affected Systems

The vulnerability affects the xmldom package named xmldom:xmldom. Versions 0.6.0 and older are susceptible, as are the @xmldom/xmldom releases prior to 0.8.12 and 0.9.9. Users of these libraries in Node.js or browser environments that serialize XML content with XMLSerializer must verify whether their code relies on CDATA sections containing user data and upgrade to the patched releases.

Risk and Exploitability

The advisory lists a CVSS score of 7.5, indicating a high risk and moderate to high impact. EPSS data is not reported and the vulnerability is not in the CISA KEV catalogue, suggesting it is not yet widely attacked. Based on the description, it is inferred that an attacker who can influence the XML content serialized by xmldom can insert a CDATA terminator and thereby cause arbitrary XML markup to be emitted. The likely attack vector is remote if the application accepts untrusted input for serialization, but the exact conditions depend on how the library is used. Successful exploitation could lead to unauthorized manipulation of XML structure and downstream application logic.

Generated by OpenCVE AI on April 2, 2026 at 22:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade xmldom to version 0.6.0 or later and @xmldom/xmldom to version 0.8.12 or 0.9.9 or later.
  • If an immediate upgrade is not feasible, avoid using CDATA sections that contain user data; sanitize any occurrence of the string `]]>` before serialization.
  • Verify that the application does not rely on unsanitized CDATA content and review code paths that serialize XML with xmldom.
  • Monitor the project’s advisory feed and npm registry for updated versions.

Generated by OpenCVE AI on April 2, 2026 at 22:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wh4c-j3r5-mjhp xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion
History

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Xmldom
Xmldom xmldom
Vendors & Products Xmldom
Xmldom xmldom

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In xmldom versions 0.6.0 and prior and @xmldom/xmldom prior to versions 0.8.12 and 0.9.9, xmldom/xmldom allows attacker-controlled strings containing the CDATA terminator ]]> to be inserted into a CDATASection node. During serialization, XMLSerializer emitted the CDATA content verbatim without rejecting or safely splitting the terminator. As a result, data intended to remain text-only became active XML markup in the serialized output, enabling XML structure injection and downstream business-logic manipulation. This issue has been patched in xmldom version 0.6.0 and @xmldom/xmldom versions 0.8.12 and 0.9.9.
Title xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion
Weaknesses CWE-91
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Xmldom Xmldom
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T16:03:21.485Z

Reserved: 2026-03-30T17:15:52.500Z

Link: CVE-2026-34601

cve-icon Vulnrichment

Updated: 2026-04-03T16:03:11.347Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-02T18:16:31.933

Modified: 2026-04-03T16:16:40.603

Link: CVE-2026-34601

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:17:12Z

Weaknesses