Description
xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled processing instruction data to be serialized into XML without validating or neutralizing the PI-closing sequence ?>. As a result, an attacker can terminate the processing instruction early and inject arbitrary XML nodes into the serialized output. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.
Published: 2026-05-07
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability occurs because the xmldom library does not validate processing instruction data before serializing it to XML. An attacker can inject the PI‑closing sequence ?> early in the data, causing the serializer to terminate the processing instruction prematurely and insert arbitrary XML nodes into the output. This corrupts the XML structure and can allow downstream code to execute unwanted logic or treat the injected nodes as legitimate data.

Affected Systems

All installs of the xmldom package that predate release 0.9.10 or 0.8.13, including xmldom 0.6.0 and earlier, are affected. The patch was incorporated in both the 0.9.10 and 0.8.13 releases of @xmldom/xmldom.

Risk and Exploitability

The CVSS score of 8.7 classifies the issue as high severity. No EPSS data is available and the vulnerability is not listed in the CISA KEV catalog, but the flaw presents a classic injection vector: any system that passes untrusted data through xmldom’s XMLSerializer is susceptible to malicious XML injection.

Generated by OpenCVE AI on May 7, 2026 at 05:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade xmldom to version 0.9.10 or 0.8.13, which contains the fix
  • Validate or sanitize any data destined for processing instructions before serialization to prevent premature closing sequences
  • Continuously monitor xmldom’s repository and apply newer security releases as soon as they become available

Generated by OpenCVE AI on May 7, 2026 at 05:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x6wf-f3px-wcqx xmldom has XML node injection through unvalidated processing instruction serialization
History

Thu, 07 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Xmldom
Xmldom xmldom
Vendors & Products Xmldom
Xmldom xmldom

Thu, 07 May 2026 04:15:00 +0000

Type Values Removed Values Added
Description xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled processing instruction data to be serialized into XML without validating or neutralizing the PI-closing sequence ?>. As a result, an attacker can terminate the processing instruction early and inject arbitrary XML nodes into the serialized output. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.
Title xmldom: XML node injection through unvalidated processing instruction serialization
Weaknesses CWE-91
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Xmldom Xmldom
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T13:44:35.717Z

Reserved: 2026-04-22T03:53:24.406Z

Link: CVE-2026-41675

cve-icon Vulnrichment

Updated: 2026-05-07T13:42:58.796Z

cve-icon NVD

Status : Deferred

Published: 2026-05-07T04:16:33.580

Modified: 2026-05-07T15:16:08.817

Link: CVE-2026-41675

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T05:45:06Z

Weaknesses