CVE-2026-41672
XML Comment Injection in xmldom Library
Publication date: 2026-05-07
Last updated on: 2026-05-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xmldom | xmldom | to 0.9.10 (exc) |
| xmldom | xmldom | From 0.9.0 (inc) to 0.9.10 (exc) |
| xmldom | xmldom | 0.9.10 |
| xmldom | xmldom | 0.8.13 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-91 | The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41672 is a high-severity vulnerability in the xmldom JavaScript library that allows an attacker to inject arbitrary XML nodes by exploiting unsafe serialization of comment content.
Specifically, the vulnerability arises because the library does not properly validate or neutralize comment-breaking sequences like "-->" in XML comments. This allows an attacker to prematurely terminate a comment and insert malicious XML elements into the serialized output.
The issue affects versions prior to 0.9.10 and 0.8.13 of the xmldom library and has been fixed by introducing a strict mode option (`requireWellFormed: true`) that throws errors when unsafe sequences are detected during serialization.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized modification of XML data by allowing attackers to inject arbitrary XML nodes into serialized documents.
Such injection can cause data corruption, unauthorized access, or cross-site scripting (XSS) attacks in web applications that process or trust the affected XML.
Applications that use untrusted input in XML comment nodes and then serialize this XML without proper validation are particularly at risk.
This can affect configuration files, policy documents, message formats, or any downstream systems relying on the integrity of the XML data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in xmldom allows attacker-controlled comment content to be serialized into XML without proper validation, enabling injection of arbitrary XML nodes. This can lead to unauthorized modification of XML data, potentially affecting the integrity of configuration files, policy documents, or message formats that downstream systems rely on.
Such unauthorized XML modifications could result in data corruption or unauthorized access, which may violate data integrity and security requirements mandated by standards like GDPR and HIPAA. For example, if XML documents are used to store or transmit sensitive personal or health information, exploitation of this vulnerability could compromise the confidentiality and integrity of that data.
Therefore, organizations using vulnerable versions of xmldom in systems handling regulated data might face compliance risks due to potential unauthorized data manipulation or exposure.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if your system uses vulnerable versions of the xmldom library (prior to 0.8.13 and 0.9.10) and whether XML serialization is performed without the `requireWellFormed: true` option enabled.
Since the vulnerability arises from unsafe serialization of comment nodes containing sequences like "-->" that allow XML injection, you can detect it by inspecting XML serialization code or logs for unvalidated comment content.
There are no explicit commands provided in the resources for direct detection on a network or system, but you can:
- Check the version of xmldom in your project dependencies using commands like `npm list @xmldom/xmldom` or `npm list xmldom`.
- Review your code for usage of `XMLSerializer.serializeToString()` or similar serialization methods without the `requireWellFormed: true` option.
- Scan XML comment nodes in serialized outputs for suspicious comment-breaking sequences such as `-->` that could indicate injection.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade the xmldom library to version 0.8.13 or later if you are using the 0.8.x branch, or to version 0.9.10 or later for the 0.9.x branch.
Enable the `requireWellFormed: true` option when calling `XMLSerializer.serializeToString()`, `Node.toString()`, or `NodeList.toString()` methods. This option enforces strict validation and throws an error if comment data contains unsafe sequences like `-->`.
Review and sanitize any attacker-controlled input that may be used in XML comment nodes to prevent injection of comment-breaking sequences.
If upgrading immediately is not possible, consider implementing input validation or sanitization on comment content to remove or escape sequences like `--` or `-->` before serialization.
Additionally, apply any patches or updates provided by the xmldom maintainers that address this vulnerability.