CVE-2026-41674: xmldom has XML injection through unvalidated DocumentType serialization
(updated )
The package serializes DocumentType node fields (internalSubset, publicId, systemId) verbatim
without any escaping or validation. When these fields are set programmatically to attacker-controlled
strings, XMLSerializer.serializeToString can produce output where the DOCTYPE declaration is
terminated early and arbitrary markup appears outside it.
References
- github.com/advisories/GHSA-f6ww-3ggp-fr8h
- github.com/xmldom/xmldom
- github.com/xmldom/xmldom/commit/372008f9ae0e20fd69f761c7b79e202598267314
- github.com/xmldom/xmldom/releases/tag/0.8.13
- github.com/xmldom/xmldom/releases/tag/0.9.10
- github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h
- nvd.nist.gov/vuln/detail/CVE-2026-41674
Code Behaviors & Features
Detect and mitigate CVE-2026-41674 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →