SB2026042037 - Multiple vulnerabilities in xmldom
Published: April 20, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 vulnerabilities.
1) XML injection (CVE-ID: CVE-2026-41675)
CWE-ID: CWE-91 - XML Injection
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to inject arbitrary XML nodes into serialized output.
The vulnerability exists due to improper neutralization of special elements in processing instruction serialization in createProcessingInstruction and the XML serializer when serializing processing instruction data containing the PI-closing sequence. A remote attacker can supply specially crafted processing instruction data to inject arbitrary XML nodes into serialized output.
The issue affects the DOM construction and serialization flow for processing instruction nodes, where attacker-controlled data containing ?> can terminate the processing instruction early and be treated as active XML markup by downstream parsers.
2) XML injection (CVE-ID: CVE-2026-41674)
CWE-ID: CWE-91 - XML Injection
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to inject arbitrary XML markup into serialized output.
The vulnerability exists due to xml injection in DocumentType serialization when serializing attacker-controlled DocumentType fields. A remote attacker can supply crafted publicId, systemId, or internalSubset values to inject arbitrary XML markup into serialized output.
The issue is reachable through programmatic createDocumentType calls or direct writes to DocumentType properties, while the parse path is described as safe.
3) Uncontrolled Recursion (CVE-ID: CVE-2026-41673)
CWE-ID: CWE-674 - Uncontrolled Recursion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled recursion in lib/dom.js DOM tree traversal logic when processing a deeply nested XML document through affected DOM operations. A remote attacker can send a valid deeply nested XML document to cause a denial of service.
The XML parser can successfully parse the crafted document, and the crash occurs during subsequent DOM operations such as XML serialization, normalization, node cloning, node import, text content access, tree comparison, or element lookup.
4) XML injection (CVE-ID: CVE-2026-41672)
CWE-ID: CWE-91 - XML Injection
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to inject arbitrary XML nodes into serialized output.
The vulnerability exists due to improper neutralization of special elements in XML comment serialization in the DOM construction and serialization flow for comment nodes when serializing attacker-controlled comment content. A remote attacker can supply crafted comment data containing comment-breaking sequences to inject arbitrary XML nodes into serialized output.
This can affect workflows that generate XML and then store it, forward it, sign it, or pass it to another parser.
Remediation
Install update from vendor's website.
References
- https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx
- https://github.com/advisories/GHSA-x6wf-f3px-wcqx
- https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h
- https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw
- https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8
- https://github.com/advisories/GHSA-j759-j44w-7fr8