CVE-2026-41675

EUVD-2026-28290

07.05.2026, 04:16

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled processing instruction data to be serialized into XML without validating or neutralizing the PI-closing sequence ?>. As a result, an attacker can terminate the processing instruction early and inject arbitrary XML nodes into the serialized output. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.

aka Blind XPath Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	UNKNOWN				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 14%

Debian Releases

Debian Product

Codename

node-xmldom

bookworm	vulnerable
bullseye	vulnerable
forky	vulnerable
sid	0.9.10-1 fixed
trixie	vulnerable

Common Weakness Enumeration

CWE-91 - XML Injection (aka Blind XPath Injection)
The software does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

References

https://github.com/xmldom/xmldom/commit/7207a4b0e0bcc228868075ed991665ef9f73b1c2

https://github.com/xmldom/xmldom/releases/tag/0.8.13

https://github.com/xmldom/xmldom/releases/tag/0.9.10

https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx

https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx