SB2026042037 - Multiple vulnerabilities in xmldom



SB2026042037 - Multiple vulnerabilities in xmldom

Published: April 20, 2026

Security Bulletin ID SB2026042037
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 vulnerabilities.


1) XML injection (CVE-ID: CVE-2026-41675)

CWE-ID: CWE-91 - XML Injection

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to inject arbitrary XML nodes into serialized output.

The vulnerability exists due to improper neutralization of special elements in processing instruction serialization in createProcessingInstruction and the XML serializer when serializing processing instruction data containing the PI-closing sequence. A remote attacker can supply specially crafted processing instruction data to inject arbitrary XML nodes into serialized output.

The issue affects the DOM construction and serialization flow for processing instruction nodes, where attacker-controlled data containing ?> can terminate the processing instruction early and be treated as active XML markup by downstream parsers.


2) XML injection (CVE-ID: CVE-2026-41674)

CWE-ID: CWE-91 - XML Injection

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to inject arbitrary XML markup into serialized output.

The vulnerability exists due to xml injection in DocumentType serialization when serializing attacker-controlled DocumentType fields. A remote attacker can supply crafted publicId, systemId, or internalSubset values to inject arbitrary XML markup into serialized output.

The issue is reachable through programmatic createDocumentType calls or direct writes to DocumentType properties, while the parse path is described as safe.


3) Uncontrolled Recursion (CVE-ID: CVE-2026-41673)

CWE-ID: CWE-674 - Uncontrolled Recursion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled recursion in lib/dom.js DOM tree traversal logic when processing a deeply nested XML document through affected DOM operations. A remote attacker can send a valid deeply nested XML document to cause a denial of service.

The XML parser can successfully parse the crafted document, and the crash occurs during subsequent DOM operations such as XML serialization, normalization, node cloning, node import, text content access, tree comparison, or element lookup.


4) XML injection (CVE-ID: CVE-2026-41672)

CWE-ID: CWE-91 - XML Injection

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to inject arbitrary XML nodes into serialized output.

The vulnerability exists due to improper neutralization of special elements in XML comment serialization in the DOM construction and serialization flow for comment nodes when serializing attacker-controlled comment content. A remote attacker can supply crafted comment data containing comment-breaking sequences to inject arbitrary XML nodes into serialized output.

This can affect workflows that generate XML and then store it, forward it, sign it, or pass it to another parser.


Remediation

Install update from vendor's website.