Main Vulnerability Database Vulnerabilities #VU126512

XML injection in xmldom - #VU126512

Published: April 20, 2026

Vulnerability identifier: #VU126512

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-91

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: xmldom

Affected software:
xmldom

Detailed vulnerability description

The vulnerability allows a remote attacker to inject arbitrary XML markup into serialized output.

The vulnerability exists due to xml injection in DocumentType serialization when serializing attacker-controlled DocumentType fields. A remote attacker can supply crafted publicId, systemId, or internalSubset values to inject arbitrary XML markup into serialized output.

The issue is reachable through programmatic createDocumentType calls or direct writes to DocumentType properties, while the parse path is described as safe.

Remediation

Install security update from vendor's website.

Sources

https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h

XML injection in xmldom - #VU126512

Detailed vulnerability description

Remediation

Sources

Please verify you're human