CVE-2026-41675: xmldom has XML node injection through unvalidated processing instruction serialization
(updated )
The package allows attacker-controlled processing instruction data to be serialized into XML without validating or neutralizing the PI-closing sequence ?>. As a result, an attacker can terminate the processing instruction early and inject arbitrary XML nodes into the serialized output.
References
- github.com/advisories/GHSA-x6wf-f3px-wcqx
- github.com/xmldom/xmldom
- github.com/xmldom/xmldom/commit/7207a4b0e0bcc228868075ed991665ef9f73b1c2
- github.com/xmldom/xmldom/releases/tag/0.8.13
- github.com/xmldom/xmldom/releases/tag/0.9.10
- github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx
- nvd.nist.gov/vuln/detail/CVE-2026-41675
Code Behaviors & Features
Detect and mitigate CVE-2026-41675 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →