CVE-2026-41672: xmldom has XML node injection through unvalidated comment serialization
(updated )
The package allows attacker-controlled comment content to be serialized into XML without validating or neutralizing comment breaking sequences. As a result, an attacker can terminate the comment early and inject arbitrary XML nodes into the serialized output.
References
- github.com/advisories/GHSA-j759-j44w-7fr8
- github.com/xmldom/xmldom
- github.com/xmldom/xmldom/commit/b397540889086da868c30c366ad5c220d1a750c7
- github.com/xmldom/xmldom/commit/fda7cc313de30243fea35cada64e0bb12099c2a1
- github.com/xmldom/xmldom/pull/987
- github.com/xmldom/xmldom/releases/tag/0.8.13
- github.com/xmldom/xmldom/releases/tag/0.9.10
- github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8
- nvd.nist.gov/vuln/detail/CVE-2026-41672
Code Behaviors & Features
Detect and mitigate CVE-2026-41672 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →