PatchSiren cyber security CVE debrief
CVE-2026-41674 xmldom CVE debrief
The CVE-2026-41674 vulnerability affects the xmldom package, specifically versions prior to 0.9.10 and 0.8.13. This package is a pure JavaScript implementation of the W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. The vulnerability arises from the package's serialization of DocumentType node fields (internalSubset, publicId, systemId) without proper escaping or validation. When these fields are set programmatically to attacker-controlled strings, the XMLSerializer.serializeToString function can produce output where the DOCTYPE declaration is terminated early, allowing arbitrary markup to appear outside it. This issue has been patched in versions 0.9.10 and 0.8.13 of @xmldom/xmldom. The vulnerability has a CVSS score of 8.7 and is classified as HIGH severity.
- Vendor
- xmldom
- Product
- Unknown
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-07
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-05-07
- Advisory updated
- 2026-06-30
Who should care
Developers and users of the xmldom package, especially those using versions prior to 0.9.10 and 0.8.13, should be aware of this vulnerability. Given the high severity and CVSS score of 8.7, immediate attention is recommended to ensure that the package is updated to a patched version. Red Hat users may also be affected, as indicated by multiple Red Hat errata references.
Technical summary
The xmldom package, a JavaScript implementation of the W3C XML DOM Level 2 Core, has a vulnerability (CVE-2026-41674) that allows for the serialization of DocumentType node fields without proper escaping or validation. This can lead to the premature termination of the DOCTYPE declaration and the injection of arbitrary markup. The vulnerability is exploitable when attacker-controlled strings are programmatically set as DocumentType node fields and then serialized using XMLSerializer.serializeToString. Patched versions are 0.9.10 and 0.8.13 for @xmldom/xmldom.
Defensive priority
High priority should be given to updating the xmldom package to versions 0.9.10 or 0.8.13, or later, to mitigate this vulnerability. Given the high CVSS score, defenders should treat this as a critical update.
Recommended defensive actions
- Update @xmldom/xmldom to version 0.9.10 or 0.8.13, or later.
- Review and validate the use of DocumentType node fields in your application.
- Implement additional validation and sanitization for any user-controlled input that is used to set DocumentType node fields.
- Monitor for any suspicious activity related to XML serialization in your application.
- Consider compensating controls, such as Web Application Firewalls (WAFs), to detect and prevent potential exploitation attempts.
Evidence notes
The CVE-2026-41674 vulnerability is documented in multiple sources, including the NVD and Red Hat's security advisories. The vulnerability affects xmldom package versions prior to 0.9.10 and 0.8.13. Patched versions have been released to address this issue. Red Hat has also provided errata for affected products.
Official resources
-
CVE-2026-41674 CVE record
CVE.org
-
CVE-2026-41674 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
- Source reference
- Source reference
- Source reference
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.