Description
xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled comment content to be serialized into XML without validating or neutralizing comment-breaking sequences. As a result, an attacker can terminate the comment early and inject arbitrary XML nodes into the serialized output. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.
Published: 2026-05-07
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the XML serializer of the xmldom library. Versions prior to 0.9.10, 0.8.13, and 0.6.0 allow comment content that an attacker controls to be serialized without any validation or neutralization of comment‑breaking sequences. If a comment contains a closing marker, the serializer ends the comment prematurely and the following characters are treated as normal XML nodes. This flaw is a form of code injection encoded as XML, classified as CWE‑91.

Affected Systems

All releases of the xmldom package older than 0.9.10, older than 0.8.13, and 0.6.0 or earlier are affected. Any project importing one of those versions directly or through a transitive dependency is at risk.

Risk and Exploitability

The CVSS score of 8.7 reflects a high severity vulnerability. An attacker only needs to supply an XML document containing a crafted comment; no special configuration or elevated privileges are required. Because the injection occurs during serialization, downstream components that consume the produced XML may receive the attacker‑supplied nodes. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on May 7, 2026 at 06:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the xmldom package to version 0.9.10 or 0.8.13, which fix the comment‑serialization flaw.
  • Ensure that all transitive dependencies have been updated so that the patched version is used throughout the dependency tree.
  • If immediate upgrade is not possible, sanitize or remove comment nodes before serialization, preventing any comment‑breaking sequences from reaching the serializer.

Generated by OpenCVE AI on May 7, 2026 at 06:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-j759-j44w-7fr8 xmldom has XML node injection through unvalidated comment serialization
History

Thu, 07 May 2026 06:45:00 +0000

Type Values Removed Values Added
First Time appeared Xmldom
Xmldom xmldom
Vendors & Products Xmldom
Xmldom xmldom

Thu, 07 May 2026 04:15:00 +0000

Type Values Removed Values Added
Description xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled comment content to be serialized into XML without validating or neutralizing comment-breaking sequences. As a result, an attacker can terminate the comment early and inject arbitrary XML nodes into the serialized output. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.
Title xmldom: XML node injection through unvalidated comment serialization
Weaknesses CWE-91
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Xmldom Xmldom
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T03:36:16.914Z

Reserved: 2026-04-22T03:53:24.405Z

Link: CVE-2026-41672

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-07T04:16:33.087

Modified: 2026-05-07T04:16:33.087

Link: CVE-2026-41672

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T06:30:05Z

Weaknesses