PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-34601 xmldom CVE debrief

CVE-2026-34601 is a HIGH severity vulnerability in xmldom, a JavaScript XML DOM module. The vulnerability allows for XML structure injection via attacker-supplied strings containing the CDATA terminator ]]> . During serialization, XMLSerializer emitted the CDATA content verbatim without rejecting or safely splitting the terminator. As a result, data intended to remain text-only became active XML markup in the serialized output, enabling XML structure injection and downstream business-logic manipulation. This issue has been patched in xmldom version 0.6.0 and @xmldom/xmldom versions 0.8.12 and 0.9.9. Users should update to these versions to mitigate the vulnerability.

Vendor
xmldom
Product
Unknown
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-02
Original CVE updated
2026-06-30
Advisory published
2026-04-02
Advisory updated
2026-06-30

Who should care

Developers and administrators using xmldom or @xmldom/xmldom in their applications should be aware of this vulnerability and take steps to mitigate it. This vulnerability could allow an attacker to inject malicious XML structure, potentially leading to business-logic manipulation.

Technical summary

The xmldom and @xmldom/xmldom modules are vulnerable to XML structure injection due to improper handling of CDATA terminators. When an attacker-supplied string containing the CDATA terminator ]]> is inserted into a CDATASection node, the XMLSerializer will emit the CDATA content verbatim, allowing for the injection of malicious XML structure. This vulnerability has been assigned a CVSS score of 7.5 and a severity of HIGH.

Defensive priority

High priority should be given to updating xmldom and @xmldom/xmldom to versions 0.6.0, 0.8.12, and 0.9.9 respectively. Additionally, developers should review their applications for potential XML injection vulnerabilities and implement proper input validation and sanitization.

Recommended defensive actions

  • Update xmldom to version 0.6.0 or later
  • Update @xmldom/xmldom to version 0.8.12 or later
  • Review applications for potential XML injection vulnerabilities
  • Implement proper input validation and sanitization
  • Monitor for suspicious activity

Evidence notes

The CVE-2026-34601 vulnerability was publicly disclosed on April 2, 2026, and has since been patched in xmldom version 0.6.0 and @xmldom/xmldom versions 0.8.12 and 0.9.9. The vulnerability has a CVSS score of 7.5 and a severity of HIGH. There is no evidence of this vulnerability being exploited in the wild.

Official resources

This article was generated with AI assistance based on the supplied source corpus.