Main Vulnerability Database Vulnerabilities #VU126511

XML injection in xmldom - #VU126511

Published: April 20, 2026

Vulnerability identifier: #VU126511

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-91

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: xmldom

Affected software:
xmldom

Detailed vulnerability description

The vulnerability allows a remote attacker to inject arbitrary XML nodes into serialized output.

The vulnerability exists due to improper neutralization of special elements in processing instruction serialization in createProcessingInstruction and the XML serializer when serializing processing instruction data containing the PI-closing sequence. A remote attacker can supply specially crafted processing instruction data to inject arbitrary XML nodes into serialized output.

The issue affects the DOM construction and serialization flow for processing instruction nodes, where attacker-controlled data containing ?> can terminate the processing instruction early and be treated as active XML markup by downstream parsers.

Remediation

Install security update from vendor's website.

XML injection in xmldom - #VU126511

Detailed vulnerability description

Remediation

Sources

Please verify you're human