Description

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In xmldom versions 0.6.0 and prior and @xmldom/xmldom prior to versions 0.8.12 and 0.9.9, xmldom/xmldom allows attacker-controlled strings containing the CDATA terminator ]]> to be inserted into a CDATASection node. During serialization, XMLSerializer emitted the CDATA content verbatim without rejecting or safely splitting the terminator. As a result, data intended to remain text-only became active XML markup in the serialized output, enabling XML structure injection and downstream business-logic manipulation. This issue has been patched in xmldom version 0.6.0 and @xmldom/xmldom versions 0.8.12 and 0.9.9.

INFO

Published Date :

2026-04-02T17:47:13.209Z

Last Modified :

2026-04-02T17:47:13.209Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-34601 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-34601.

URL Resource
https://github.com/xmldom/xmldom/commit/2b852e836ab86dbbd6cbaf0537f584dd0b5ac184 cve-icon cve-icon
https://github.com/xmldom/xmldom/releases/tag/0.8.12 cve-icon cve-icon
https://github.com/xmldom/xmldom/releases/tag/0.9.9 cve-icon cve-icon
https://github.com/xmldom/xmldom/security/advisories/GHSA-wh4c-j3r5-mjhp cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact