Description

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled comment content to be serialized into XML without validating or neutralizing comment-breaking sequences. As a result, an attacker can terminate the comment early and inject arbitrary XML nodes into the serialized output. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.

INFO

Published Date :

2026-05-07T03:36:16.914Z

Last Modified :

2026-05-07T14:58:08.512Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-41672 vulnerability.

Vendors Products
Xmldom
  • Xmldom
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-41672.

URL Resource
https://github.com/xmldom/xmldom/commit/b397540889086da868c30c366ad5c220d1a750c7 cve-icon cve-icon
https://github.com/xmldom/xmldom/commit/fda7cc313de30243fea35cada64e0bb12099c2a1 cve-icon cve-icon
https://github.com/xmldom/xmldom/pull/987 cve-icon cve-icon
https://github.com/xmldom/xmldom/releases/tag/0.8.13 cve-icon cve-icon
https://github.com/xmldom/xmldom/releases/tag/0.9.10 cve-icon cve-icon
https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability