PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-41673 xmldom CVE debrief

CVE-2026-41673 is a high-severity vulnerability in xmldom, a JavaScript XML DOM module. Versions prior to 0.9.10 and 0.8.13 are affected, allowing for a RangeError: Maximum call stack size exceeded due to seven recursive traversals in lib/dom.js operating without a depth limit. A sufficiently deeply nested DOM tree causes the application to crash. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13. The vulnerability has a CVSS score of 8.7 and is considered HIGH severity. The CVE was published on 2026-05-07T04:16:33.257Z and last modified on 2026-07-01T13:17:14.150Z.

Vendor
xmldom
Product
Unknown
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-07
Original CVE updated
2026-07-01
Advisory published
2026-05-07
Advisory updated
2026-07-01

Who should care

Developers and administrators using xmldom versions prior to 0.9.10 and 0.8.13 should be aware of this vulnerability. The issue can cause applications to crash, leading to denial-of-service (DoS) attacks. Users of Red Hat products may also be affected, as indicated by Red Hat's security advisories.

Technical summary

The xmldom module, a pure JavaScript implementation of the W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer`, has a vulnerability in versions prior to 0.9.10 and 0.8.13. The issue arises from seven recursive traversals in lib/dom.js that operate without a depth limit. When a sufficiently deeply nested DOM tree is encountered, it causes a RangeError: Maximum call stack size exceeded, resulting in the application crashing. This vulnerability can be exploited through a specially crafted XML document.

Defensive priority

High priority should be given to updating xmldom to versions 0.9.10 or 0.8.13. Developers should review their applications' dependency trees to ensure they are using a patched version of xmldom.

Recommended defensive actions

  • Update xmldom to version 0.9.10 or 0.8.13
  • Review application dependency trees for vulnerable xmldom versions
  • Implement input validation for XML documents to prevent deeply nested structures
  • Monitor applications for crashes or errors related to xmldom
  • Consider using alternative XML parsing libraries with built-in protections

Evidence notes

The CVE-2026-41673 vulnerability was published on 2026-05-07 and last modified on 2026-07-01. The issue affects xmldom versions prior to 0.9.10 and 0.8.13. Red Hat has also addressed this vulnerability in their products, as indicated by their security advisories and errata.

Official resources

This article is AI-assisted and based on the supplied source corpus.