Compliance Impact

CVE-2026-41674 is a high-severity XML injection vulnerability that allows attackers to inject malicious XML content by exploiting unsafe serialization of DocumentType node fields. This can lead to integrity issues where arbitrary markup is introduced into XML documents.

Such integrity compromises can impact compliance with standards and regulations like GDPR and HIPAA, which require protection of data integrity and prevention of unauthorized data manipulation. If an attacker exploits this vulnerability to inject malicious XML, it could lead to unauthorized data disclosure or corruption, violating these regulatory requirements.

However, the vulnerability is only exploitable when applications programmatically construct DocumentType nodes from attacker-controlled data and serialize them without proper validation. The vulnerability has been patched in newer versions by introducing a 'requireWellFormed' option that enforces validation and prevents injection.

Therefore, failure to update or properly configure the xmldom library could expose systems to risks that undermine compliance with data protection and security standards.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-41674 is a high-severity XML injection vulnerability in the @xmldom/xmldom npm package affecting certain versions prior to 0.9.10 and 0.8.13. The vulnerability occurs because the package serializes DocumentType node fields (internalSubset, publicId, systemId) without proper escaping or validation. When these fields are set to attacker-controlled strings, the XMLSerializer.serializeToString function can produce malformed DOCTYPE declarations, allowing arbitrary XML markup to appear outside the intended structure.

There are three injection vectors: internalSubset injection (where a value containing ]> prematurely closes the DOCTYPE declaration), publicId injection (where a malicious publicId breaks quoting context to inject fake SYSTEM entries), and systemId injection (where a systemId containing > terminates the DOCTYPE early). This vulnerability is exploitable when applications programmatically construct DocumentType nodes from user-controlled data and serialize them.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability primarily impacts the integrity of XML data by allowing attackers to inject malicious XML content through manipulated DocumentType node fields. The malformed DOCTYPE declarations can lead to arbitrary markup appearing outside the intended XML structure.

Downstream XML parsers that re-parse the serialized output may be vulnerable to XML External Entity (XXE)-class attacks if entity expansion is enabled, potentially leading to further security issues such as data disclosure or denial of service.

The vulnerability has a high CVSS v4 score of 8.7, indicating it is exploitable remotely with low complexity, no privileges, and no user interaction required.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability arises when the xmldom package serializes DocumentType node fields (internalSubset, publicId, systemId) without proper escaping or validation, allowing XML injection if these fields contain attacker-controlled strings.

Detection involves identifying if your application uses vulnerable versions of @xmldom/xmldom (versions prior to 0.8.13 and 0.9.10) and whether it programmatically constructs DocumentType nodes from untrusted input.

Since the vulnerability is related to serialization of DocumentType nodes, you can detect suspicious serialized XML output containing malformed DOCTYPE declarations or unexpected markup outside the DOCTYPE.

There are no specific network commands provided in the resources, but you can audit your codebase for usage of xmldom versions < 0.8.13 or >= 0.9.0 < 0.9.10 and check if XMLSerializer.serializeToString is called without the requireWellFormed option.

You may also search logs or outputs for XML strings containing suspicious sequences such as "]>", malformed publicId or systemId values, or unexpected XML markup outside DOCTYPE declarations.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade the xmldom package to versions 0.8.13 or 0.9.10 or later, where the vulnerability has been addressed.

Use the new `requireWellFormed: true` option when calling `XMLSerializer.serializeToString()` (and related methods like `Node.toString()` and `NodeList.toString()`). This option enforces validation of DocumentType node fields and throws an error if injection-prone sequences are detected.

• Upgrade xmldom to version 0.9.10 or 0.8.13 or later.
• Modify your serialization calls to include `{ requireWellFormed: true }` to enable strict validation.
• Audit your code to avoid programmatically setting DocumentType node fields (internalSubset, publicId, systemId) from untrusted input.

Note that creation-time validation of DocumentType nodes is planned for a future release, so currently direct property writes remain unguarded, making the serializer-level checks critical.

Useful 0 Not Useful 0