XML injection in xmldom - #VU126514
Published: April 20, 2026
Vulnerability identifier: #VU126514
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-91
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: xmldom
Affected software:
xmldom
xmldom
Detailed vulnerability description
The vulnerability allows a remote attacker to inject arbitrary XML nodes into serialized output.
The vulnerability exists due to improper neutralization of special elements in XML comment serialization in the DOM construction and serialization flow for comment nodes when serializing attacker-controlled comment content. A remote attacker can supply crafted comment data containing comment-breaking sequences to inject arbitrary XML nodes into serialized output.
This can affect workflows that generate XML and then store it, forward it, sign it, or pass it to another parser.
Remediation
Install security update from vendor's website.