CVE-2026-41675
xmldom: XML node injection through unvalidated processing instruction serialization
In short
The xmldom library fails to properly escape special characters in XML processing instructions, allowing attackers to break out of the instruction and inject malicious XML code into the output. This can lead to data corruption or unauthorized content injection.
Technical detail
The vulnerability exists in the XMLSerializer component where attacker-controlled processing instruction data is serialized without neutralizing the PI-closing sequence (?>). An attacker can inject the sequence to prematurely terminate the processing instruction and inject arbitrary XML nodes. The attack requires control over processing instruction content and affects serialization operations.
Summary generated and translated by AI from the official description.
xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled processing instruction data to be serialized into XML without validating or neutralizing the PI-closing sequence ?>. As a result, an attacker can terminate the processing instruction early and inject arbitrary XML nodes into the serialized output. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Affected products
xmldom · xmldomWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →