Description

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled processing instruction data to be serialized into XML without validating or neutralizing the PI-closing sequence ?>. As a result, an attacker can terminate the processing instruction early and inject arbitrary XML nodes into the serialized output. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.

INFO

Published Date :

2026-05-07T03:49:34.056Z

Last Modified :

2026-05-07T03:49:34.056Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-41675 vulnerability.

Vendors Products
Xmldom
  • Xmldom
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-41675.

URL Resource
https://github.com/xmldom/xmldom/commit/7207a4b0e0bcc228868075ed991665ef9f73b1c2 cve-icon cve-icon
https://github.com/xmldom/xmldom/releases/tag/0.8.13 cve-icon cve-icon
https://github.com/xmldom/xmldom/releases/tag/0.9.10 cve-icon cve-icon
https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability