CVE-2026-34601

HIGH 7.5

xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

13th

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In xmldom versions 0.6.0 and prior and @xmldom/xmldom prior to versions 0.8.12 and 0.9.9, xmldom/xmldom allows attacker-controlled strings containing the CDATA terminator ]]> to be inserted into a CDATASection node. During serialization, XMLSerializer emitted the CDATA content verbatim without rejecting or safely splitting the terminator. As a result, data intended to remain text-only became active XML markup in the serialized output, enabling XML structure injection and downstream business-logic manipulation. This issue has been patched in xmldom version 0.6.0 and @xmldom/xmldom versions 0.8.12 and 0.9.9.

CWE	CWE-91
Vendor	xmldom
Product	xmldom
Published	Apr 2, 2026
Last Updated	Apr 3, 2026

Stay Ahead of the Next One

Get instant alerts for xmldom xmldom

Be the first to know when new high vulnerabilities affecting xmldom xmldom are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Affected Versions

xmldom / xmldom

xmldom <= 0.6.0 @xmldom/xmldom < 0.8.12 @xmldom/xmldom >= 0.9.0, < 0.9.9

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/xmldom/xmldom/security/advisories/GHSA-wh4c-j3r5-mjhp github.com: https://github.com/xmldom/xmldom/commit/2b852e836ab86dbbd6cbaf0537f584dd0b5ac184 github.com: https://github.com/xmldom/xmldom/releases/tag/0.8.12 github.com: https://github.com/xmldom/xmldom/releases/tag/0.9.9