CVE-2026-41674
XML Injection vulnerability in xmldom (npm)
What is CVE-2026-41674 About?
This vulnerability in `xmldom` allows XML injection through unescaped `DocumentType` node fields during serialization, leading to arbitrary markup injection. An attacker can craft programmatic `createDocumentType` calls to close the DOCTYPE early or inject entities/declarations, potentially enabling XXE-class attacks if downstream parsers expand these. Exploitation is moderately complex, requiring programmatic control over `DocumentType` creation and subsequent serialization.
Affected Software
- @xmldom/xmldom
- <0.8.13
- >=0.9.0, <0.9.10
- xmldom
- <=0.6.0
Technical Details
The xmldom library's XMLSerializer.serializeToString method processes DocumentType node fields (internalSubset, publicId, systemId) verbatim without escaping or validation. When these fields are set programmatically with attacker-controlled strings via DOMImplementation.createDocumentType, arbitrary XML markup can be injected. Specifically, internalSubset injection occurs if a value contains ]>, which prematurely terminates the DOCTYPE and allows subsequent content to appear as raw XML. publicId injection allows breaking the quoting context to inject a fake SYSTEM entry (e.g., '"pubid" SYSTEM "evil"'), while systemId injection can terminate the DOCTYPE with > and place subsequent content as sibling XML elements. Although the parse path is safe due to SAX parser enforcement, the vulnerability is reached through programmatic createDocumentType calls followed by serialization, particularly exposing applications to XXE-class attacks if serialized output is re-parsed by entity-expanding parsers.
What is the Impact of CVE-2026-41674?
Successful exploitation may allow attackers to inject arbitrary XML markup, potentially leading to XML External Entity (XXE) attacks if downstream XML parsers expand entities from the injected DOCTYPE declarations.
What is the Exploitability of CVE-2026-41674?
Exploitation of this vulnerability is of moderate complexity. It requires programmatic control over the createDocumentType function's arguments or direct property writes to a DocumentType node's fields (publicId, systemId, internalSubset). No authentication is required for the vulnerability itself, but an attacker needs a way to inject data into these fields within the application's logic. Remote access is possible if the application exposed an API that accepts and processes user-controlled data to construct DocumentType nodes and then serializes them. There are no specific privilege requirements for the injection, however, the ultimate impact (e.g., XXE) may depend on the privileges of the parsing process. A significant constraint is that the application must serialize the constructed DocumentType node for the injection to manifest, and for XXE, the output must be consumed by an XML parser that expands entities.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2026-41674?
Available Upgrade Options
- @xmldom/xmldom
- <0.8.13 → Upgrade to 0.8.13
- @xmldom/xmldom
- >=0.9.0, <0.9.10 → Upgrade to 0.9.10
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h
- https://osv.dev/vulnerability/GHSA-f6ww-3ggp-fr8h
- https://github.com/xmldom/xmldom
- https://github.com/xmldom/xmldom/releases/tag/0.8.13
- https://github.com/xmldom/xmldom/releases/tag/0.9.10
- https://github.com/xmldom/xmldom/commit/372008f9ae0e20fd69f761c7b79e202598267314
What are Similar Vulnerabilities to CVE-2026-41674?
Similar Vulnerabilities: CVE-2023-5072 , CVE-2022-38501 , CVE-2021-39148 , CVE-2020-26210 , CVE-2019-1000002
