PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-41675 xmldom CVE debrief

CVE-2026-41675 is a high-severity vulnerability in the xmldom package, a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. The vulnerability allows attacker-controlled processing instruction data to be serialized into XML without validating or neutralizing the PI-closing sequence ?>. This can lead to an attacker terminating the processing instruction early and injecting arbitrary XML nodes into the serialized output. The issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13. The CVE was published on May 7, 2026, and modified on June 30, 2026.

Vendor
xmldom
Product
Unknown
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-07
Original CVE updated
2026-06-30
Advisory published
2026-05-07
Advisory updated
2026-06-30

Who should care

Developers and administrators using the xmldom package in their applications should be aware of this vulnerability and take steps to mitigate it. This includes updating to patched versions of the package and ensuring that any affected systems or applications are properly updated. Additionally, users of Red Hat products may be affected, as indicated by the presence of Red Hat references in the CVE metadata.

Technical summary

The xmldom package is vulnerable to a high-severity issue (CVSS score of 8.7) that allows attacker-controlled processing instruction data to be serialized into XML without proper validation or neutralization. This can lead to the injection of arbitrary XML nodes into the serialized output. The vulnerability is caused by the lack of validation or neutralization of the PI-closing sequence ?> in the package's serialization functionality. Patched versions of the package have been released, and users should update to versions 0.9.10 or 0.8.13 to mitigate the vulnerability.

Defensive priority

High priority should be given to updating to patched versions of the xmldom package, as well as reviewing and updating any affected systems or applications. Additionally, users should ensure that their systems and applications are properly configured and monitored to prevent exploitation of this vulnerability.

Recommended defensive actions

  • Update to patched versions of the xmldom package (0.9.10 or 0.8.13).
  • Review and update any affected systems or applications.
  • Ensure that systems and applications are properly configured and monitored to prevent exploitation.
  • Consider implementing additional security controls, such as input validation and output encoding, to mitigate the vulnerability.
  • Monitor for any suspicious activity or indicators of compromise.

Evidence notes

The CVE metadata indicates that the vulnerability was published on May 7, 2026, and modified on June 30, 2026. The NVD detail page and CVE record provide additional information about the vulnerability. Red Hat references are present, indicating potential impact on Red Hat products. The CVE has a CVSS score of 8.7 and is classified as HIGH severity.

Official resources

This article is AI-assisted and based on the supplied source corpus.