CVE-2026-34601
xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion
In short
xmldom doesn't properly escape special characters when storing text in CDATA sections, allowing attackers to inject malicious XML code that gets executed when the document is read by other systems.
Technical detail
An attacker can insert the CDATA terminator sequence ]]> into a CDATASection node; XMLSerializer fails to sanitize or split this terminator during serialization, causing attacker-controlled markup to be emitted as active XML rather than text-only content, enabling XML injection and logic manipulation in downstream processors.
Summary generated and translated by AI from the official description.
xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In xmldom versions 0.6.0 and prior and @xmldom/xmldom prior to versions 0.8.12 and 0.9.9, xmldom/xmldom allows attacker-controlled strings containing the CDATA terminator ]]> to be inserted into a CDATASection node. During serialization, XMLSerializer emitted the CDATA content verbatim without rejecting or safely splitting the terminator. As a result, data intended to remain text-only became active XML markup in the serialized output, enabling XML structure injection and downstream business-logic manipulation. This issue has been patched in xmldom version 0.6.0 and @xmldom/xmldom versions 0.8.12 and 0.9.9.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Affected products
xmldom · xmldomWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →