CVE-2026-34601
XML Structure Injection in xmldom via Unsafe CDATA Serialization
Publication date: 2026-04-02
Last updated on: 2026-04-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xmldom | xmldom | 0.6.0 |
| @xmldom | xmldom | to 0.8.12 (exc) |
| @xmldom | xmldom | to 0.9.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-91 | The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-34601 is an XML injection vulnerability that allows attacker-controlled markup to be injected into XML documents generated by the xmldom library. This can lead to integrity violations of XML data and manipulation of downstream business logic, such as injecting unauthorized workflow flags or privilege escalations.
Such integrity violations and unauthorized data manipulation could potentially impact compliance with standards and regulations like GDPR and HIPAA, which require protection of data integrity and prevention of unauthorized data modification. Applications using xmldom to generate XML documents embedding untrusted input inside CDATA sections may be at risk of violating these requirements if the vulnerability is exploited.
However, the provided information does not explicitly discuss compliance with specific standards or regulations.
Can you explain this vulnerability to me?
CVE-2026-34601 is an XML injection vulnerability in the xmldom JavaScript library that arises from unsafe handling of CDATA sections. Specifically, the library's createCDATASection method allowed attacker-controlled strings containing the CDATA terminator sequence "]]>" to be inserted into a CDATASection node without validation.
During XML serialization, the XMLSerializer emitted the CDATA content verbatim without rejecting or safely splitting the terminator. Since "]]>" is not allowed inside CDATA content, this caused premature closure of the CDATA section and the remainder of the attacker-controlled payload was interpreted as active XML markup.
This enabled attackers to inject arbitrary XML elements or attributes, leading to XML structure injection and manipulation of downstream business logic.
The vulnerability was fixed by making createCDATASection throw an InvalidCharacterError if the input contains "]]>" and by modifying XMLSerializer to split CDATA sections containing "]]>" into multiple adjacent CDATA sections during serialization, preventing injection.
How can this vulnerability impact me? :
If you use xmldom to generate XML documents that embed untrusted user input inside CDATA sections, this vulnerability can allow attackers to inject additional XML elements or attributes into your XML output.
This injection can lead to integrity violations of XML documents and manipulation of downstream business logic, such as injecting flags like <approved>true</approved> or <role>admin</role>.
As a result, attackers could cause unexpected privilege escalations, unauthorized workflow changes, or other malicious effects in systems that consume the XML.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unsafe handling of CDATA sections containing the sequence "]]>" in the xmldom library during XML serialization, which can lead to XML injection. Detection involves identifying if your system or application uses vulnerable versions of xmldom (versions 0.6.0 and prior, or @xmldom/xmldom prior to 0.8.12 and 0.9.9) and whether XML documents generated by these versions include untrusted input inside CDATA sections.
To detect exploitation attempts or presence of the vulnerability, you can:
- Check your project dependencies to identify if xmldom or @xmldom/xmldom is used and verify the version with commands like `npm list xmldom` or `npm list @xmldom/xmldom`.
- Search your XML output or logs for CDATA sections containing the substring "]]>" which should not normally appear inside CDATA content. For example, use `grep -r '\]\]>\' /path/to/xml/files` to find suspicious CDATA terminators.
- Monitor XML serialization code paths that use `createCDATASection` or mutation methods (`appendData`, `replaceData`, `.data`, `.textContent`) to see if untrusted input containing "]]>" is passed.
No specific network commands or automated detection tools are described in the provided resources, so detection primarily relies on code and dependency inspection and searching for suspicious CDATA terminators in XML data.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation for CVE-2026-34601 is to upgrade the xmldom library to a patched version where the vulnerability is fixed.
- Upgrade xmldom to version 0.6.0 or later, or @xmldom/xmldom to versions 0.8.12 or 0.9.9 or later, where the vulnerability has been addressed.
- Ensure that the `createCDATASection` method is not called with strings containing the forbidden sequence "]]>" as these versions now throw an `InvalidCharacterError` in such cases.
- If you need to include the sequence "]]>" inside CDATA sections, use mutation methods such as `appendData`, `replaceData`, or direct assignments to `.data` or `.textContent` instead of passing the string directly to `createCDATASection`.
- Review your XML serialization logic to confirm it uses the updated `XMLSerializer` which safely splits CDATA sections containing "]]>" to prevent injection.
These steps collectively prevent unsafe CDATA serialization and XML injection attacks by enforcing strict validation and safe serialization behavior.