CVE-2026-41674: xmldom has XML injection through unvalidated DocumentType serialization
The package serializes DocumentType node fields (internalSubset, publicId, systemId) verbatim
without any escaping or validation. When these fields are set programmatically to attacker-controlled
strings, XMLSerializer.serializeToString can produce output where the DOCTYPE declaration is
terminated early and arbitrary markup appears outside it.
References
- github.com/advisories/GHSA-f6ww-3ggp-fr8h
- github.com/xmldom/xmldom
- github.com/xmldom/xmldom/commit/372008f9ae0e20fd69f761c7b79e202598267314
- github.com/xmldom/xmldom/releases/tag/0.8.13
- github.com/xmldom/xmldom/releases/tag/0.9.10
- github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h
- nvd.nist.gov/vuln/detail/CVE-2026-41674
Code Behaviors & Features
Detect and mitigate CVE-2026-41674 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →