Description
xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package serializes DocumentType node fields (internalSubset, publicId, systemId) verbatim without any escaping or validation. When these fields are set programmatically to attacker-controlled strings, XMLSerializer.serializeToString can produce output where the DOCTYPE declaration is terminated early and arbitrary markup appears outside it. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.
Published: 2026-05-07
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises because xmldom's XMLSerializer writes DocumentType node fields verbatim without escaping or validation. This allows attacker‑controlled strings to terminate the DOCTYPE declaration early and inject arbitrary markup outside it. The result can violate data integrity by supplying unexpected XML content during generation or consumption by downstream parsers. The flaw constitutes a high‑severity XML injection issue with a CVSS score of 8.7.

Affected Systems

The library is xmldom, a pure JavaScript XML DOM implementation. Vulnerable releases are any version before 0.9.10, before 0.8.13, and all releases up to and including 0.6.0. The problem exists in the XMLSerializer component that outputs XML strings.

Risk and Exploitability

According to the CVSS rating, the exploit could have a high impact on integrity. No EPSS score is available, and the vulnerability is not listed in CISA's KEV catalog, indicating no known widespread exploitation at the time of analysis. The likely attack vector involves creating or manipulating a DocumentType node in the DOM before serialization; the user would need to supply data that controls the internalSubset, publicId or systemId fields. Because the vulnerability stems from unescaped serialization, any application that constructs DocumentType nodes from untrusted data and subsequently serializes can be affected.

Generated by OpenCVE AI on May 7, 2026 at 05:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to xmldom v0.9.10 or later, or to v0.8.13 or later if using that series; the patch removes unfiltered serialization.
  • If upgrading is not feasible, ensure that any DocumentType node created by the application does not contain user‑supplied data; if it must contain such data, sanitize the internalSubset, publicId, and systemId fields to escape or remove dangerous characters before calling XMLSerializer.serializeToString.
  • Review all code paths that serialize XML to enforce that DocumentType nodes are either omitted or contain validated content, and include automated tests to confirm no violation before deployment.

Generated by OpenCVE AI on May 7, 2026 at 05:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f6ww-3ggp-fr8h xmldom has XML injection through unvalidated DocumentType serialization
History

Thu, 07 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Xmldom
Xmldom xmldom
Vendors & Products Xmldom
Xmldom xmldom

Thu, 07 May 2026 04:15:00 +0000

Type Values Removed Values Added
Description xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package serializes DocumentType node fields (internalSubset, publicId, systemId) verbatim without any escaping or validation. When these fields are set programmatically to attacker-controlled strings, XMLSerializer.serializeToString can produce output where the DOCTYPE declaration is terminated early and arbitrary markup appears outside it. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.
Title xmldom: XML injection through unvalidated DocumentType serialization
Weaknesses CWE-91
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Xmldom Xmldom
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T12:35:39.361Z

Reserved: 2026-04-22T03:53:24.405Z

Link: CVE-2026-41674

cve-icon Vulnrichment

Updated: 2026-05-07T12:35:12.270Z

cve-icon NVD

Status : Received

Published: 2026-05-07T04:16:33.433

Modified: 2026-05-07T13:16:12.483

Link: CVE-2026-41674

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T07:30:24Z

Weaknesses