PatchSiren cyber security CVE debrief
CVE-2026-34601 xmldom CVE debrief
CVE-2026-34601 is a HIGH severity vulnerability in xmldom, a JavaScript XML DOM module. The vulnerability allows for XML structure injection via attacker-supplied strings containing the CDATA terminator ]]> . During serialization, XMLSerializer emitted the CDATA content verbatim without rejecting or safely splitting the terminator. As a result, data intended to remain text-only became active XML markup in the serialized output, enabling XML structure injection and downstream business-logic manipulation. This issue has been patched in xmldom version 0.6.0 and @xmldom/xmldom versions 0.8.12 and 0.9.9. Users should update to these versions to mitigate the vulnerability.
- Vendor
- xmldom
- Product
- Unknown
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-02
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-04-02
- Advisory updated
- 2026-06-30
Who should care
Developers and administrators using xmldom or @xmldom/xmldom in their applications should be aware of this vulnerability and take steps to mitigate it. This vulnerability could allow an attacker to inject malicious XML structure, potentially leading to business-logic manipulation.
Technical summary
The xmldom and @xmldom/xmldom modules are vulnerable to XML structure injection due to improper handling of CDATA terminators. When an attacker-supplied string containing the CDATA terminator ]]> is inserted into a CDATASection node, the XMLSerializer will emit the CDATA content verbatim, allowing for the injection of malicious XML structure. This vulnerability has been assigned a CVSS score of 7.5 and a severity of HIGH.
Defensive priority
High priority should be given to updating xmldom and @xmldom/xmldom to versions 0.6.0, 0.8.12, and 0.9.9 respectively. Additionally, developers should review their applications for potential XML injection vulnerabilities and implement proper input validation and sanitization.
Recommended defensive actions
- Update xmldom to version 0.6.0 or later
- Update @xmldom/xmldom to version 0.8.12 or later
- Review applications for potential XML injection vulnerabilities
- Implement proper input validation and sanitization
- Monitor for suspicious activity
Evidence notes
The CVE-2026-34601 vulnerability was publicly disclosed on April 2, 2026, and has since been patched in xmldom version 0.6.0 and @xmldom/xmldom versions 0.8.12 and 0.9.9. The vulnerability has a CVSS score of 7.5 and a severity of HIGH. There is no evidence of this vulnerability being exploited in the wild.
Official resources
-
CVE-2026-34601 CVE record
CVE.org
-
CVE-2026-34601 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
- Source reference
- Source reference
- Source reference
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article was generated with AI assistance based on the supplied source corpus.