PatchSiren cyber security CVE debrief
CVE-2026-41675 xmldom CVE debrief
CVE-2026-41675 is a high-severity vulnerability in the xmldom package, a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. The vulnerability allows attacker-controlled processing instruction data to be serialized into XML without validating or neutralizing the PI-closing sequence ?>. This can lead to an attacker terminating the processing instruction early and injecting arbitrary XML nodes into the serialized output. The issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13. The CVE was published on May 7, 2026, and modified on June 30, 2026.
- Vendor
- xmldom
- Product
- Unknown
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-07
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-05-07
- Advisory updated
- 2026-06-30
Who should care
Developers and administrators using the xmldom package in their applications should be aware of this vulnerability and take steps to mitigate it. This includes updating to patched versions of the package and ensuring that any affected systems or applications are properly updated. Additionally, users of Red Hat products may be affected, as indicated by the presence of Red Hat references in the CVE metadata.
Technical summary
The xmldom package is vulnerable to a high-severity issue (CVSS score of 8.7) that allows attacker-controlled processing instruction data to be serialized into XML without proper validation or neutralization. This can lead to the injection of arbitrary XML nodes into the serialized output. The vulnerability is caused by the lack of validation or neutralization of the PI-closing sequence ?> in the package's serialization functionality. Patched versions of the package have been released, and users should update to versions 0.9.10 or 0.8.13 to mitigate the vulnerability.
Defensive priority
High priority should be given to updating to patched versions of the xmldom package, as well as reviewing and updating any affected systems or applications. Additionally, users should ensure that their systems and applications are properly configured and monitored to prevent exploitation of this vulnerability.
Recommended defensive actions
- Update to patched versions of the xmldom package (0.9.10 or 0.8.13).
- Review and update any affected systems or applications.
- Ensure that systems and applications are properly configured and monitored to prevent exploitation.
- Consider implementing additional security controls, such as input validation and output encoding, to mitigate the vulnerability.
- Monitor for any suspicious activity or indicators of compromise.
Evidence notes
The CVE metadata indicates that the vulnerability was published on May 7, 2026, and modified on June 30, 2026. The NVD detail page and CVE record provide additional information about the vulnerability. Red Hat references are present, indicating potential impact on Red Hat products. The CVE has a CVSS score of 8.7 and is classified as HIGH severity.
Official resources
-
CVE-2026-41675 CVE record
CVE.org
-
CVE-2026-41675 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
- Source reference
- Source reference
- Source reference
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.