CVE-2026-41674
XML External Entity Injection in xmldom
Publication date: 2026-05-07
Last updated on: 2026-05-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xmldom | xmldom | to 0.8.13 (exc) |
| xmldom | xmldom | 0.8.13 |
| xmldom | xmldom | 0.9.10 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-91 | The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41674 is a high-severity XML injection vulnerability in the @xmldom/xmldom npm package affecting certain versions prior to 0.9.10 and 0.8.13. The vulnerability occurs because the package serializes DocumentType node fields (internalSubset, publicId, systemId) without proper escaping or validation. When these fields are set to attacker-controlled strings, the XMLSerializer.serializeToString function can produce malformed DOCTYPE declarations, allowing arbitrary XML markup to appear outside the intended structure.
There are three injection vectors: internalSubset injection (where a value containing ]> prematurely closes the DOCTYPE declaration), publicId injection (where a malicious publicId breaks quoting context to inject fake SYSTEM entries), and systemId injection (where a systemId containing > terminates the DOCTYPE early). This vulnerability is exploitable when applications programmatically construct DocumentType nodes from user-controlled data and serialize them.
How can this vulnerability impact me? :
This vulnerability primarily impacts the integrity of XML data by allowing attackers to inject malicious XML content through manipulated DocumentType node fields. The malformed DOCTYPE declarations can lead to arbitrary markup appearing outside the intended XML structure.
Downstream XML parsers that re-parse the serialized output may be vulnerable to XML External Entity (XXE)-class attacks if entity expansion is enabled, potentially leading to further security issues such as data disclosure or denial of service.
The vulnerability has a high CVSS v4 score of 8.7, indicating it is exploitable remotely with low complexity, no privileges, and no user interaction required.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises when the xmldom package serializes DocumentType node fields (internalSubset, publicId, systemId) without proper escaping or validation, allowing XML injection if these fields contain attacker-controlled strings.
Detection involves identifying if your application uses vulnerable versions of @xmldom/xmldom (versions prior to 0.8.13 and 0.9.10) and whether it programmatically constructs DocumentType nodes from untrusted input.
Since the vulnerability is related to serialization of DocumentType nodes, you can detect suspicious serialized XML output containing malformed DOCTYPE declarations or unexpected markup outside the DOCTYPE.
There are no specific network commands provided in the resources, but you can audit your codebase for usage of xmldom versions < 0.8.13 or >= 0.9.0 < 0.9.10 and check if XMLSerializer.serializeToString is called without the requireWellFormed option.
You may also search logs or outputs for XML strings containing suspicious sequences such as "]>", malformed publicId or systemId values, or unexpected XML markup outside DOCTYPE declarations.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the xmldom package to versions 0.8.13 or 0.9.10 or later, where the vulnerability has been addressed.
Use the new `requireWellFormed: true` option when calling `XMLSerializer.serializeToString()` (and related methods like `Node.toString()` and `NodeList.toString()`). This option enforces validation of DocumentType node fields and throws an error if injection-prone sequences are detected.
- Upgrade xmldom to version 0.9.10 or 0.8.13 or later.
- Modify your serialization calls to include `{ requireWellFormed: true }` to enable strict validation.
- Audit your code to avoid programmatically setting DocumentType node fields (internalSubset, publicId, systemId) from untrusted input.
Note that creation-time validation of DocumentType nodes is planned for a future release, so currently direct property writes remain unguarded, making the serializer-level checks critical.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-41674 is a high-severity XML injection vulnerability that allows attackers to inject malicious XML content by exploiting unsafe serialization of DocumentType node fields. This can lead to integrity issues where arbitrary markup is introduced into XML documents.
Such integrity compromises can impact compliance with standards and regulations like GDPR and HIPAA, which require protection of data integrity and prevention of unauthorized data manipulation. If an attacker exploits this vulnerability to inject malicious XML, it could lead to unauthorized data disclosure or corruption, violating these regulatory requirements.
However, the vulnerability is only exploitable when applications programmatically construct DocumentType nodes from attacker-controlled data and serialize them without proper validation. The vulnerability has been patched in newer versions by introducing a 'requireWellFormed' option that enforces validation and prevents injection.
Therefore, failure to update or properly configure the xmldom library could expose systems to risks that undermine compliance with data protection and security standards.