Main Vulnerability Database Vulnerabilities #VU126510

XML injection in xmldom - CVE-2026-34601

Published: April 20, 2026

Vulnerability identifier: #VU126510

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-34601

CWE-ID: CWE-91

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: xmldom

Affected software:
xmldom

Detailed vulnerability description

The vulnerability allows a remote attacker to inject XML markup into serialized output.

The vulnerability exists due to improper neutralization of special elements in XMLSerializer CDATA serialization when serializing attacker-controlled CDATA content containing the CDATA terminator. A remote attacker can supply a crafted string that includes ]]> to inject XML markup into serialized output.

Applications are affected when they embed untrusted input inside CDATA sections in generated XML documents, and mutation methods such as appendData(), replaceData(), direct .data assignment, or .textContent assignment can also introduce the unsafe content.

How to mitigate CVE-2026-34601

Install security update from vendor's website.

XML injection in xmldom - CVE-2026-34601

Detailed vulnerability description

How to mitigate CVE-2026-34601

Sources

Please verify you're human