Search

Find a vulnerability

Search criteria

    16 vulnerabilities found for xmldom by xmldom

    CVE-2026-41675 (GCVE-0-2026-41675)

    Vulnerability from nvd – Published: 2026-05-07 03:49 – Updated: 2026-06-30 12:08
    VLAI
    Title
    xmldom: XML node injection through unvalidated processing instruction serialization
    Summary
    xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled processing instruction data to be serialized into XML without validating or neutralizing the PI-closing sequence ?>. As a result, an attacker can terminate the processing instruction early and inject arbitrary XML nodes into the serialized output. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-91 - XML Injection (aka Blind XPath Injection)
    Assigner
    Impacted products
    Vendor Product Version
    xmldom xmldom Affected: xmldom <= 0.6.0
    Affected: @xmldom/xmldom >= 0.9.0, < 0.9.10
    Affected: @xmldom/xmldom < 0.8.13
    Create a notification for this product.
    Red Hat Red Hat Developer Hub 1.9     cpe:/a:redhat:rhdh:1.9::el9
    Create a notification for this product.
    Red Hat Red Hat Build of Podman Desktop     cpe:/a:redhat:podman_desktop:1
    Create a notification for this product.
    Red Hat Red Hat Fuse 7     cpe:/a:redhat:jboss_fuse:7
    Create a notification for this product.
    Red Hat Red Hat OpenShift Container Platform 4     cpe:/a:redhat:openshift:4
    Create a notification for this product.
    Red Hat Self-service automation portal 2     cpe:/a:redhat:ansible_portal:2
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8     cpe:/o:redhat:enterprise_linux:8
    Create a notification for this product.
    Red Hat Red Hat OpenShift AI (RHOAI)     cpe:/a:redhat:openshift_ai
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-41675",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-07T13:43:50.798218Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-07T13:44:35.717Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:rhdh:1.9::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Developer Hub 1.9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:podman_desktop:1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of Podman Desktop",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_fuse:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Fuse 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift:4"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Container Platform 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_portal:2"
                ],
                "defaultStatus": "affected",
                "product": "Self-service automation portal 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:8"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_ai"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat OpenShift AI (RHOAI)",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-05-07T03:49:34.056Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in xmldom. A remote attacker can exploit this vulnerability by providing specially crafted processing instruction data. Due to improper validation of the processing instruction closing sequence, the attacker can terminate the instruction prematurely and inject arbitrary XML nodes into the serialized output. This can lead to data manipulation and integrity issues within applications that process the affected XML."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-91",
                    "description": "XML Injection (aka Blind XPath Injection)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:08:46.008Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-41675"
              },
              {
                "name": "RHBZ#2467629",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467629"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-41675.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:26234"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:26234: Red Hat Developer Hub 1.9"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-05-07T05:01:58.399Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-05-07T03:49:34.056Z",
                "value": "Made public."
              }
            ],
            "title": "xmldom: xmldom: Arbitrary XML node injection via crafted processing instructions",
            "workarounds": [
              {
                "lang": "en",
                "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xmldom",
              "vendor": "xmldom",
              "versions": [
                {
                  "status": "affected",
                  "version": "xmldom \u003c= 0.6.0"
                },
                {
                  "status": "affected",
                  "version": "@xmldom/xmldom \u003e= 0.9.0, \u003c 0.9.10"
                },
                {
                  "status": "affected",
                  "version": "@xmldom/xmldom \u003c 0.8.13"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled processing instruction data to be serialized into XML without validating or neutralizing the PI-closing sequence ?\u003e. As a result, an attacker can terminate the processing instruction early and inject arbitrary XML nodes into the serialized output. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-91",
                  "description": "CWE-91: XML Injection (aka Blind XPath Injection)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-07T03:49:34.056Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx"
            },
            {
              "name": "https://github.com/xmldom/xmldom/commit/7207a4b0e0bcc228868075ed991665ef9f73b1c2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/commit/7207a4b0e0bcc228868075ed991665ef9f73b1c2"
            },
            {
              "name": "https://github.com/xmldom/xmldom/releases/tag/0.8.13",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/releases/tag/0.8.13"
            },
            {
              "name": "https://github.com/xmldom/xmldom/releases/tag/0.9.10",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/releases/tag/0.9.10"
            }
          ],
          "source": {
            "advisory": "GHSA-x6wf-f3px-wcqx",
            "discovery": "UNKNOWN"
          },
          "title": "xmldom: XML node injection through unvalidated processing instruction serialization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-41675",
        "datePublished": "2026-05-07T03:49:34.056Z",
        "dateReserved": "2026-04-22T03:53:24.406Z",
        "dateUpdated": "2026-06-30T12:08:46.008Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-41674 (GCVE-0-2026-41674)

    Vulnerability from nvd – Published: 2026-05-07 03:47 – Updated: 2026-06-30 12:08
    VLAI
    Title
    xmldom: XML injection through unvalidated DocumentType serialization
    Summary
    xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package serializes DocumentType node fields (internalSubset, publicId, systemId) verbatim without any escaping or validation. When these fields are set programmatically to attacker-controlled strings, XMLSerializer.serializeToString can produce output where the DOCTYPE declaration is terminated early and arbitrary markup appears outside it. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-91 - XML Injection (aka Blind XPath Injection)
    Assigner
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-41674",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-07T12:35:22.818916Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-07T12:35:39.361Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:rhdh:1.8::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Developer Hub 1.8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhdh:1.9::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Developer Hub 1.9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift:4.20::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Container Platform 4.20",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift:4.21::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Container Platform 4.21",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:podman_desktop:1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of Podman Desktop",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_fuse:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Fuse 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_portal:2"
                ],
                "defaultStatus": "affected",
                "product": "Self-service automation portal 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_ai"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat OpenShift AI (RHOAI)",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-05-07T03:47:51.140Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in xmldom and @xmldom/xmldom, a JavaScript library for parsing and serializing XML. This vulnerability allows an attacker to inject arbitrary XML markup into a document due to improper handling of DocumentType node fields during serialization. By crafting malicious input, an attacker can cause the XML serializer to prematurely terminate the DOCTYPE declaration, enabling the insertion of unauthorized content. This could lead to information disclosure or, in certain configurations, the execution of arbitrary code."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-91",
                    "description": "XML Injection (aka Blind XPath Injection)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:08:46.303Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-41674"
              },
              {
                "name": "RHBZ#2467620",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467620"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-41674.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:21338"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:26234"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:21703"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:20034"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:21338: Red Hat Developer Hub 1.8"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:26234: Red Hat Developer Hub 1.9"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:21703: Red Hat OpenShift Container Platform 4.20"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:20034: Red Hat OpenShift Container Platform 4.21"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-05-07T05:01:25.803Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-05-07T03:47:51.140Z",
                "value": "Made public."
              }
            ],
            "title": "xmldom: xmldom: Arbitrary XML markup injection",
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xmldom",
              "vendor": "xmldom",
              "versions": [
                {
                  "status": "affected",
                  "version": "xmldom \u003c= 0.6.0"
                },
                {
                  "status": "affected",
                  "version": "@xmldom/xmldom \u003e= 0.9.0, \u003c 0.9.10"
                },
                {
                  "status": "affected",
                  "version": "@xmldom/xmldom \u003c 0.8.13"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package serializes DocumentType node fields (internalSubset, publicId, systemId) verbatim without any escaping or validation. When these fields are set programmatically to attacker-controlled strings, XMLSerializer.serializeToString can produce output where the DOCTYPE declaration is terminated early and arbitrary markup appears outside it. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-91",
                  "description": "CWE-91: XML Injection (aka Blind XPath Injection)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-07T03:47:51.140Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h"
            },
            {
              "name": "https://github.com/xmldom/xmldom/commit/372008f9ae0e20fd69f761c7b79e202598267314",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/commit/372008f9ae0e20fd69f761c7b79e202598267314"
            },
            {
              "name": "https://github.com/xmldom/xmldom/releases/tag/0.8.13",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/releases/tag/0.8.13"
            },
            {
              "name": "https://github.com/xmldom/xmldom/releases/tag/0.9.10",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/releases/tag/0.9.10"
            }
          ],
          "source": {
            "advisory": "GHSA-f6ww-3ggp-fr8h",
            "discovery": "UNKNOWN"
          },
          "title": "xmldom: XML injection through unvalidated DocumentType serialization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-41674",
        "datePublished": "2026-05-07T03:47:51.140Z",
        "dateReserved": "2026-04-22T03:53:24.405Z",
        "dateUpdated": "2026-06-30T12:08:46.303Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-41673 (GCVE-0-2026-41673)

    Vulnerability from nvd – Published: 2026-05-07 03:40 – Updated: 2026-07-01 12:04
    VLAI
    Title
    xmldom: Denial of service via uncontrolled recursion in XML serialization
    Summary
    xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, seven recursive traversals in lib/dom.js operate without a depth limit. A sufficiently deeply nested DOM tree causes a RangeError: Maximum call stack size exceeded, crashing the application. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-674 - Uncontrolled Recursion
    • CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
    Assigner
    Impacted products
    Vendor Product Version
    xmldom xmldom Affected: xmldom <= 0.6.0
    Affected: @xmldom/xmldom >= 0.9.0, < 0.9.10
    Affected: @xmldom/xmldom < 0.8.13
    Create a notification for this product.
    Red Hat Red Hat Developer Hub 1.9     cpe:/a:redhat:rhdh:1.9::el9
    Create a notification for this product.
    Red Hat Red Hat Build of Podman Desktop     cpe:/a:redhat:podman_desktop:1
    Create a notification for this product.
    Red Hat Red Hat Fuse 7     cpe:/a:redhat:jboss_fuse:7
    Create a notification for this product.
    Red Hat Self-service automation portal 2     cpe:/a:redhat:ansible_portal:2
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8     cpe:/o:redhat:enterprise_linux:8
    Create a notification for this product.
    Red Hat Red Hat OpenShift AI (RHOAI)     cpe:/a:redhat:openshift_ai
    Create a notification for this product.
    Red Hat Red Hat OpenShift Container Platform 4     cpe:/a:redhat:openshift:4
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-41673",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-07T14:08:40.798873Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-07T14:10:45.986Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:rhdh:1.9::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Developer Hub 1.9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:podman_desktop:1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of Podman Desktop",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_fuse:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Fuse 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_portal:2"
                ],
                "defaultStatus": "affected",
                "product": "Self-service automation portal 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:8"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_ai"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat OpenShift AI (RHOAI)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift:4"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat OpenShift Container Platform 4",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-05-07T03:40:28.378Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in the `xmldom` library, a JavaScript module for parsing XML documents. An attacker could exploit this vulnerability by providing a specially crafted, deeply nested XML document. This could lead to a Denial of Service (DoS) by causing the application to crash due to excessive recursion."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-776",
                    "description": "Improper Restriction of Recursive Entity References in DTDs (\u0027XML Entity Expansion\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-01T12:04:43.236Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-41673"
              },
              {
                "name": "RHBZ#2467630",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467630"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-41673.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:26234"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:26234: Red Hat Developer Hub 1.9"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-05-07T05:02:01.500Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-05-07T03:40:28.378Z",
                "value": "Made public."
              }
            ],
            "title": "@xmldom/xmldom: xmldom: xmldom: Denial of Service via deeply nested XML documents",
            "workarounds": [
              {
                "lang": "en",
                "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xmldom",
              "vendor": "xmldom",
              "versions": [
                {
                  "status": "affected",
                  "version": "xmldom \u003c= 0.6.0"
                },
                {
                  "status": "affected",
                  "version": "@xmldom/xmldom \u003e= 0.9.0, \u003c 0.9.10"
                },
                {
                  "status": "affected",
                  "version": "@xmldom/xmldom \u003c 0.8.13"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, seven recursive traversals in lib/dom.js operate without a depth limit. A sufficiently deeply nested DOM tree causes a RangeError: Maximum call stack size exceeded, crashing the application. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-674",
                  "description": "CWE-674: Uncontrolled Recursion",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-07T03:40:28.378Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw"
            },
            {
              "name": "https://github.com/xmldom/xmldom/commit/17678a2a73ecbd1a2da90f3d47dc23da9cef81aa",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/commit/17678a2a73ecbd1a2da90f3d47dc23da9cef81aa"
            },
            {
              "name": "https://github.com/xmldom/xmldom/commit/291257493cb0eb6980eda83b162a9c4e6d7d2597",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/commit/291257493cb0eb6980eda83b162a9c4e6d7d2597"
            },
            {
              "name": "https://github.com/xmldom/xmldom/commit/2d6d6916ed8a4c223db1f6d7560ab4544c465b0f",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/commit/2d6d6916ed8a4c223db1f6d7560ab4544c465b0f"
            },
            {
              "name": "https://github.com/xmldom/xmldom/commit/430357c7b6333108856e917bf2367afe5ceb6f8a",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/commit/430357c7b6333108856e917bf2367afe5ceb6f8a"
            },
            {
              "name": "https://github.com/xmldom/xmldom/commit/4845ef109221df0890825de2822fbe77afba3afe",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/commit/4845ef109221df0890825de2822fbe77afba3afe"
            },
            {
              "name": "https://github.com/xmldom/xmldom/commit/8834218c85ac2a4d757b9587c9028e67c2f7b6c3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/commit/8834218c85ac2a4d757b9587c9028e67c2f7b6c3"
            },
            {
              "name": "https://github.com/xmldom/xmldom/commit/8b7cfd1491314abdc347261921d7334ff15f7112",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/commit/8b7cfd1491314abdc347261921d7334ff15f7112"
            },
            {
              "name": "https://github.com/xmldom/xmldom/commit/b0620383abc1df067f3ce1014c43ae1bc1161eeb",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/commit/b0620383abc1df067f3ce1014c43ae1bc1161eeb"
            },
            {
              "name": "https://github.com/xmldom/xmldom/commit/e6edcab6bef5bcdba0b220bb35442aa72f452b84",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/commit/e6edcab6bef5bcdba0b220bb35442aa72f452b84"
            },
            {
              "name": "https://github.com/xmldom/xmldom/releases/tag/0.8.13",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/releases/tag/0.8.13"
            },
            {
              "name": "https://github.com/xmldom/xmldom/releases/tag/0.9.10",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/releases/tag/0.9.10"
            }
          ],
          "source": {
            "advisory": "GHSA-2v35-w6hq-6mfw",
            "discovery": "UNKNOWN"
          },
          "title": "xmldom: Denial of service via uncontrolled recursion in XML serialization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-41673",
        "datePublished": "2026-05-07T03:40:28.378Z",
        "dateReserved": "2026-04-22T03:53:24.405Z",
        "dateUpdated": "2026-07-01T12:04:43.236Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-41672 (GCVE-0-2026-41672)

    Vulnerability from nvd – Published: 2026-05-07 03:36 – Updated: 2026-06-30 12:08
    VLAI
    Title
    xmldom: XML node injection through unvalidated comment serialization
    Summary
    xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled comment content to be serialized into XML without validating or neutralizing comment-breaking sequences. As a result, an attacker can terminate the comment early and inject arbitrary XML nodes into the serialized output. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-91 - XML Injection (aka Blind XPath Injection)
    Assigner
    Impacted products
    Vendor Product Version
    xmldom xmldom Affected: xmldom <= 0.6.0
    Affected: @xmldom/xmldom >= 0.9.0, < 0.9.10
    Affected: @xmldom/xmldom < 0.8.13
    Create a notification for this product.
    Red Hat Red Hat Developer Hub 1.9     cpe:/a:redhat:rhdh:1.9::el9
    Create a notification for this product.
    Red Hat Red Hat Build of Podman Desktop     cpe:/a:redhat:podman_desktop:1
    Create a notification for this product.
    Red Hat Red Hat Fuse 7     cpe:/a:redhat:jboss_fuse:7
    Create a notification for this product.
    Red Hat Red Hat OpenShift Container Platform 4     cpe:/a:redhat:openshift:4
    Create a notification for this product.
    Red Hat Self-service automation portal 2     cpe:/a:redhat:ansible_portal:2
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8     cpe:/o:redhat:enterprise_linux:8
    Create a notification for this product.
    Red Hat Red Hat OpenShift AI (RHOAI)     cpe:/a:redhat:openshift_ai
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-41672",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-07T14:11:04.312092Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-07T14:58:08.512Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:rhdh:1.9::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Developer Hub 1.9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:podman_desktop:1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of Podman Desktop",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_fuse:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Fuse 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift:4"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Container Platform 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_portal:2"
                ],
                "defaultStatus": "affected",
                "product": "Self-service automation portal 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:8"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_ai"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat OpenShift AI (RHOAI)",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-05-07T03:36:16.914Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in xmldom and @xmldom/xmldom, a JavaScript module for parsing and serializing XML. This vulnerability allows an attacker to inject malicious content into XML comments. By doing so, the attacker can prematurely close a comment and insert unauthorized XML elements into the final output. This could lead to the manipulation of data within the XML document."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-91",
                    "description": "XML Injection (aka Blind XPath Injection)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:08:46.592Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-41672"
              },
              {
                "name": "RHBZ#2467631",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467631"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-41672.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:26234"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:26234: Red Hat Developer Hub 1.9"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-05-07T05:02:05.372Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-05-07T03:36:16.914Z",
                "value": "Made public."
              }
            ],
            "title": "xmldom: @xmldom/xmldom: xmldom: Arbitrary XML Node Injection",
            "workarounds": [
              {
                "lang": "en",
                "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xmldom",
              "vendor": "xmldom",
              "versions": [
                {
                  "status": "affected",
                  "version": "xmldom \u003c= 0.6.0"
                },
                {
                  "status": "affected",
                  "version": "@xmldom/xmldom \u003e= 0.9.0, \u003c 0.9.10"
                },
                {
                  "status": "affected",
                  "version": "@xmldom/xmldom \u003c 0.8.13"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled comment content to be serialized into XML without validating or neutralizing comment-breaking sequences. As a result, an attacker can terminate the comment early and inject arbitrary XML nodes into the serialized output. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-91",
                  "description": "CWE-91: XML Injection (aka Blind XPath Injection)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-07T03:36:16.914Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8"
            },
            {
              "name": "https://github.com/xmldom/xmldom/pull/987",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/pull/987"
            },
            {
              "name": "https://github.com/xmldom/xmldom/commit/b397540889086da868c30c366ad5c220d1a750c7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/commit/b397540889086da868c30c366ad5c220d1a750c7"
            },
            {
              "name": "https://github.com/xmldom/xmldom/commit/fda7cc313de30243fea35cada64e0bb12099c2a1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/commit/fda7cc313de30243fea35cada64e0bb12099c2a1"
            },
            {
              "name": "https://github.com/xmldom/xmldom/releases/tag/0.8.13",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/releases/tag/0.8.13"
            },
            {
              "name": "https://github.com/xmldom/xmldom/releases/tag/0.9.10",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/releases/tag/0.9.10"
            }
          ],
          "source": {
            "advisory": "GHSA-j759-j44w-7fr8",
            "discovery": "UNKNOWN"
          },
          "title": "xmldom: XML node injection through unvalidated comment serialization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-41672",
        "datePublished": "2026-05-07T03:36:16.914Z",
        "dateReserved": "2026-04-22T03:53:24.405Z",
        "dateUpdated": "2026-06-30T12:08:46.592Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-34601 (GCVE-0-2026-34601)

    Vulnerability from nvd – Published: 2026-04-02 17:47 – Updated: 2026-06-30 12:09
    VLAI
    Title
    xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion
    Summary
    xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In xmldom versions 0.6.0 and prior and @xmldom/xmldom prior to versions 0.8.12 and 0.9.9, xmldom/xmldom allows attacker-controlled strings containing the CDATA terminator ]]> to be inserted into a CDATASection node. During serialization, XMLSerializer emitted the CDATA content verbatim without rejecting or safely splitting the terminator. As a result, data intended to remain text-only became active XML markup in the serialized output, enabling XML structure injection and downstream business-logic manipulation. This issue has been patched in xmldom version 0.6.0 and @xmldom/xmldom versions 0.8.12 and 0.9.9.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-91 - XML Injection (aka Blind XPath Injection)
    Assigner
    Impacted products
    Vendor Product Version
    xmldom xmldom Affected: xmldom <= 0.6.0
    Affected: @xmldom/xmldom < 0.8.12
    Affected: @xmldom/xmldom >= 0.9.0, < 0.9.9
    Create a notification for this product.
    Red Hat Migration Toolkit for Applications 8     cpe:/a:redhat:migration_toolkit_applications:8
    Create a notification for this product.
    Red Hat Red Hat Build of Podman Desktop     cpe:/a:redhat:podman_desktop:1
    Create a notification for this product.
    Red Hat Red Hat Developer Hub     cpe:/a:redhat:rhdh:1
    Create a notification for this product.
    Red Hat Red Hat Fuse 7     cpe:/a:redhat:jboss_fuse:7
    Create a notification for this product.
    Red Hat Red Hat OpenShift AI (RHOAI)     cpe:/a:redhat:openshift_ai
    Create a notification for this product.
    Red Hat Red Hat OpenShift Container Platform 4     cpe:/a:redhat:openshift:4
    Create a notification for this product.
    Red Hat Red Hat OpenShift Dev Spaces     cpe:/a:redhat:openshift_devspaces:3
    Create a notification for this product.
    Red Hat Self-service automation portal 2     cpe:/a:redhat:ansible_portal:2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-34601",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-03T16:02:29.353065Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-03T16:03:21.485Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-wh4c-j3r5-mjhp"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:migration_toolkit_applications:8"
                ],
                "defaultStatus": "unaffected",
                "product": "Migration Toolkit for Applications 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:podman_desktop:1"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Build of Podman Desktop",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhdh:1"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Developer Hub",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_fuse:7"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Fuse 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_ai"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat OpenShift AI (RHOAI)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift:4"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat OpenShift Container Platform 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_devspaces:3"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat OpenShift Dev Spaces",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_portal:2"
                ],
                "defaultStatus": "unaffected",
                "product": "Self-service automation portal 2",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-04-02T17:47:13.209Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in xmldom. A remote attacker can exploit this by inserting specific character sequences, known as the CDATA (Character Data) terminator ]]\u003e, into a CDATASection node. When the XML is serialized, these sequences are not properly handled, allowing them to be interpreted as active XML markup. This vulnerability enables XML structure injection, which could lead to manipulation of the XML data and affect business logic."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-91",
                    "description": "XML Injection (aka Blind XPath Injection)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:09:11.332Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-34601"
              },
              {
                "name": "RHBZ#2454595",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454595"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-34601.json"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-04-02T19:03:40.667Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-04-02T17:47:13.209Z",
                "value": "Made public."
              }
            ],
            "title": "xmldom: xmldom: XML structure injection via CDATA terminator",
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xmldom",
              "vendor": "xmldom",
              "versions": [
                {
                  "status": "affected",
                  "version": "xmldom \u003c= 0.6.0"
                },
                {
                  "status": "affected",
                  "version": "@xmldom/xmldom \u003c 0.8.12"
                },
                {
                  "status": "affected",
                  "version": "@xmldom/xmldom \u003e= 0.9.0, \u003c 0.9.9"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In xmldom versions 0.6.0 and prior and @xmldom/xmldom prior to versions 0.8.12 and 0.9.9, xmldom/xmldom allows attacker-controlled strings containing the CDATA terminator ]]\u003e to be inserted into a CDATASection node. During serialization, XMLSerializer emitted the CDATA content verbatim without rejecting or safely splitting the terminator. As a result, data intended to remain text-only became active XML markup in the serialized output, enabling XML structure injection and downstream business-logic manipulation. This issue has been patched in xmldom version 0.6.0 and @xmldom/xmldom versions 0.8.12 and 0.9.9."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-91",
                  "description": "CWE-91: XML Injection (aka Blind XPath Injection)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-02T17:47:13.209Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xmldom/xmldom/security/advisories/GHSA-wh4c-j3r5-mjhp",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-wh4c-j3r5-mjhp"
            },
            {
              "name": "https://github.com/xmldom/xmldom/commit/2b852e836ab86dbbd6cbaf0537f584dd0b5ac184",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/commit/2b852e836ab86dbbd6cbaf0537f584dd0b5ac184"
            },
            {
              "name": "https://github.com/xmldom/xmldom/releases/tag/0.8.12",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/releases/tag/0.8.12"
            },
            {
              "name": "https://github.com/xmldom/xmldom/releases/tag/0.9.9",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/releases/tag/0.9.9"
            }
          ],
          "source": {
            "advisory": "GHSA-wh4c-j3r5-mjhp",
            "discovery": "UNKNOWN"
          },
          "title": "xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-34601",
        "datePublished": "2026-04-02T17:47:13.209Z",
        "dateReserved": "2026-03-30T17:15:52.500Z",
        "dateUpdated": "2026-06-30T12:09:11.332Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-39353 (GCVE-0-2022-39353)

    Vulnerability from nvd – Published: 2022-11-02 00:00 – Updated: 2025-04-22 17:16
    VLAI
    Title
    xmldom allows multiple root nodes in a DOM
    Summary
    xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the `childNodes` collection of the `Document`, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to issuance of CVE-2022-39299 as it is a potential issue for dependents. Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next). As a workaround, please one of the following approaches depending on your use case: instead of searching for elements in the whole DOM, only search in the `documentElement`or reject a document with a document that has more then 1 `childNode`.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    • CWE-1288 - Improper Validation of Consistency within Input
    Assigner
    Impacted products
    Vendor Product Version
    xmldom xmldom Affected: <= 0.6.0
    Affected: < 0.7.7
    Affected: >= 0.8.0, < 0.8.4
    Affected: >= 0.9.0-beta.1, < 0.9.0-beta.4
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T12:00:44.144Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/jindw/xmldom/issues/150"
              },
              {
                "name": "[debian-lts-announce] 20230101 [SECURITY] [DLA 3260-1] node-xmldom security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00000.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-39353",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-22T15:39:20.618073Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-22T17:16:38.092Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xmldom",
              "vendor": "xmldom",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c= 0.6.0"
                },
                {
                  "status": "affected",
                  "version": "\u003c 0.7.7"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 0.8.0, \u003c 0.8.4"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 0.9.0-beta.1, \u003c 0.9.0-beta.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the `childNodes` collection of the `Document`, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to issuance of CVE-2022-39299 as it is a potential issue for dependents. Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@\u003e=0.9.0-beta.4 (dist-tag next). As a workaround, please one of the following approaches depending on your use case: instead of searching for elements in the whole DOM, only search in the `documentElement`or reject a document with a document that has more then 1 `childNode`."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.4,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20: Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-1288",
                  "description": "CWE-1288: Improper Validation of Consistency within Input",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-01-01T00:00:00.000Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883"
            },
            {
              "url": "https://github.com/jindw/xmldom/issues/150"
            },
            {
              "name": "[debian-lts-announce] 20230101 [SECURITY] [DLA 3260-1] node-xmldom security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00000.html"
            }
          ],
          "source": {
            "advisory": "GHSA-crh6-fp67-6883",
            "discovery": "UNKNOWN"
          },
          "title": "xmldom allows multiple root nodes in a DOM"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2022-39353",
        "datePublished": "2022-11-02T00:00:00.000Z",
        "dateReserved": "2022-09-02T00:00:00.000Z",
        "dateUpdated": "2025-04-22T17:16:38.092Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-32796 (GCVE-0-2021-32796)

    Vulnerability from nvd – Published: 2021-07-27 21:45 – Updated: 2024-08-03 23:33
    VLAI
    Title
    Misinterpretation of malicious XML input in xmldom
    Summary
    xmldom is an open source pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This issue has been resolved in version 0.7.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents.
    CWE
    • CWE-116 - Improper Encoding or Escaping of Output
    Assigner
    Impacted products
    Vendor Product Version
    xmldom xmldom Affected: < 0.7.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T23:33:55.989Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-5fg8-2547-mr8q"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/xmldom/xmldom/commit/7b4b743917a892d407356e055b296dcd6d107e8b"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xmldom",
              "vendor": "xmldom",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.7.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "xmldom is an open source pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This issue has been resolved in version 0.7.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-116",
                  "description": "CWE-116: Improper Encoding or Escaping of Output",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-07-27T21:45:12.000Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-5fg8-2547-mr8q"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/commit/7b4b743917a892d407356e055b296dcd6d107e8b"
            }
          ],
          "source": {
            "advisory": "GHSA-5fg8-2547-mr8q",
            "discovery": "UNKNOWN"
          },
          "title": "Misinterpretation of malicious XML input in xmldom",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security-advisories@github.com",
              "ID": "CVE-2021-32796",
              "STATE": "PUBLIC",
              "TITLE": "Misinterpretation of malicious XML input in xmldom"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "xmldom",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c 0.7.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "xmldom"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "xmldom is an open source pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This issue has been resolved in version 0.7.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-116: Improper Encoding or Escaping of Output"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/",
                  "refsource": "MISC",
                  "url": "https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/"
                },
                {
                  "name": "https://github.com/xmldom/xmldom/security/advisories/GHSA-5fg8-2547-mr8q",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-5fg8-2547-mr8q"
                },
                {
                  "name": "https://github.com/xmldom/xmldom/commit/7b4b743917a892d407356e055b296dcd6d107e8b",
                  "refsource": "MISC",
                  "url": "https://github.com/xmldom/xmldom/commit/7b4b743917a892d407356e055b296dcd6d107e8b"
                }
              ]
            },
            "source": {
              "advisory": "GHSA-5fg8-2547-mr8q",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2021-32796",
        "datePublished": "2021-07-27T21:45:13.000Z",
        "dateReserved": "2021-05-12T00:00:00.000Z",
        "dateUpdated": "2024-08-03T23:33:55.989Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-21366 (GCVE-0-2021-21366)

    Vulnerability from nvd – Published: 2021-03-12 00:00 – Updated: 2024-08-03 18:09
    VLAI
    Title
    Misinterpretation of malicious XML input
    Summary
    xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This is fixed in version 0.5.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents.
    CWE
    • CWE-436 - Interpretation Conflict
    • CWE-115 - Misinterpretation of Input
    Assigner
    Impacted products
    Vendor Product Version
    xmldom xmldom Affected: < 0.5.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T18:09:16.000Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-h6q6-9hqw-rwfv"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.npmjs.com/package/xmldom"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/xmldom/xmldom/releases/tag/0.5.0"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/xmldom/xmldom/commit/d4201b9dfbf760049f457f9f08a3888d48835135"
              },
              {
                "name": "[debian-lts-announce] 20230101 [SECURITY] [DLA 3260-1] node-xmldom security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00000.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xmldom",
              "vendor": "xmldom",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.5.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This is fixed in version 0.5.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-436",
                  "description": "CWE-436 Interpretation Conflict",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-115",
                  "description": "CWE-115: Misinterpretation of Input",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-01-01T00:00:00.000Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-h6q6-9hqw-rwfv"
            },
            {
              "url": "https://www.npmjs.com/package/xmldom"
            },
            {
              "url": "https://github.com/xmldom/xmldom/releases/tag/0.5.0"
            },
            {
              "url": "https://github.com/xmldom/xmldom/commit/d4201b9dfbf760049f457f9f08a3888d48835135"
            },
            {
              "name": "[debian-lts-announce] 20230101 [SECURITY] [DLA 3260-1] node-xmldom security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00000.html"
            }
          ],
          "source": {
            "advisory": "GHSA-h6q6-9hqw-rwfv",
            "discovery": "UNKNOWN"
          },
          "title": "Misinterpretation of malicious XML input"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2021-21366",
        "datePublished": "2021-03-12T00:00:00.000Z",
        "dateReserved": "2020-12-22T00:00:00.000Z",
        "dateUpdated": "2024-08-03T18:09:16.000Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-41675 (GCVE-0-2026-41675)

    Vulnerability from cvelistv5 – Published: 2026-05-07 03:49 – Updated: 2026-06-30 12:08
    VLAI
    Title
    xmldom: XML node injection through unvalidated processing instruction serialization
    Summary
    xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled processing instruction data to be serialized into XML without validating or neutralizing the PI-closing sequence ?>. As a result, an attacker can terminate the processing instruction early and inject arbitrary XML nodes into the serialized output. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-91 - XML Injection (aka Blind XPath Injection)
    Assigner
    Impacted products
    Vendor Product Version
    xmldom xmldom Affected: xmldom <= 0.6.0
    Affected: @xmldom/xmldom >= 0.9.0, < 0.9.10
    Affected: @xmldom/xmldom < 0.8.13
    Create a notification for this product.
    Red Hat Red Hat Developer Hub 1.9     cpe:/a:redhat:rhdh:1.9::el9
    Create a notification for this product.
    Red Hat Red Hat Build of Podman Desktop     cpe:/a:redhat:podman_desktop:1
    Create a notification for this product.
    Red Hat Red Hat Fuse 7     cpe:/a:redhat:jboss_fuse:7
    Create a notification for this product.
    Red Hat Red Hat OpenShift Container Platform 4     cpe:/a:redhat:openshift:4
    Create a notification for this product.
    Red Hat Self-service automation portal 2     cpe:/a:redhat:ansible_portal:2
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8     cpe:/o:redhat:enterprise_linux:8
    Create a notification for this product.
    Red Hat Red Hat OpenShift AI (RHOAI)     cpe:/a:redhat:openshift_ai
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-41675",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-07T13:43:50.798218Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-07T13:44:35.717Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:rhdh:1.9::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Developer Hub 1.9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:podman_desktop:1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of Podman Desktop",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_fuse:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Fuse 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift:4"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Container Platform 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_portal:2"
                ],
                "defaultStatus": "affected",
                "product": "Self-service automation portal 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:8"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_ai"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat OpenShift AI (RHOAI)",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-05-07T03:49:34.056Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in xmldom. A remote attacker can exploit this vulnerability by providing specially crafted processing instruction data. Due to improper validation of the processing instruction closing sequence, the attacker can terminate the instruction prematurely and inject arbitrary XML nodes into the serialized output. This can lead to data manipulation and integrity issues within applications that process the affected XML."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-91",
                    "description": "XML Injection (aka Blind XPath Injection)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:08:46.008Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-41675"
              },
              {
                "name": "RHBZ#2467629",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467629"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-41675.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:26234"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:26234: Red Hat Developer Hub 1.9"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-05-07T05:01:58.399Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-05-07T03:49:34.056Z",
                "value": "Made public."
              }
            ],
            "title": "xmldom: xmldom: Arbitrary XML node injection via crafted processing instructions",
            "workarounds": [
              {
                "lang": "en",
                "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xmldom",
              "vendor": "xmldom",
              "versions": [
                {
                  "status": "affected",
                  "version": "xmldom \u003c= 0.6.0"
                },
                {
                  "status": "affected",
                  "version": "@xmldom/xmldom \u003e= 0.9.0, \u003c 0.9.10"
                },
                {
                  "status": "affected",
                  "version": "@xmldom/xmldom \u003c 0.8.13"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled processing instruction data to be serialized into XML without validating or neutralizing the PI-closing sequence ?\u003e. As a result, an attacker can terminate the processing instruction early and inject arbitrary XML nodes into the serialized output. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-91",
                  "description": "CWE-91: XML Injection (aka Blind XPath Injection)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-07T03:49:34.056Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx"
            },
            {
              "name": "https://github.com/xmldom/xmldom/commit/7207a4b0e0bcc228868075ed991665ef9f73b1c2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/commit/7207a4b0e0bcc228868075ed991665ef9f73b1c2"
            },
            {
              "name": "https://github.com/xmldom/xmldom/releases/tag/0.8.13",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/releases/tag/0.8.13"
            },
            {
              "name": "https://github.com/xmldom/xmldom/releases/tag/0.9.10",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/releases/tag/0.9.10"
            }
          ],
          "source": {
            "advisory": "GHSA-x6wf-f3px-wcqx",
            "discovery": "UNKNOWN"
          },
          "title": "xmldom: XML node injection through unvalidated processing instruction serialization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-41675",
        "datePublished": "2026-05-07T03:49:34.056Z",
        "dateReserved": "2026-04-22T03:53:24.406Z",
        "dateUpdated": "2026-06-30T12:08:46.008Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-41674 (GCVE-0-2026-41674)

    Vulnerability from cvelistv5 – Published: 2026-05-07 03:47 – Updated: 2026-06-30 12:08
    VLAI
    Title
    xmldom: XML injection through unvalidated DocumentType serialization
    Summary
    xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package serializes DocumentType node fields (internalSubset, publicId, systemId) verbatim without any escaping or validation. When these fields are set programmatically to attacker-controlled strings, XMLSerializer.serializeToString can produce output where the DOCTYPE declaration is terminated early and arbitrary markup appears outside it. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-91 - XML Injection (aka Blind XPath Injection)
    Assigner
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-41674",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-07T12:35:22.818916Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-07T12:35:39.361Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:rhdh:1.8::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Developer Hub 1.8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhdh:1.9::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Developer Hub 1.9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift:4.20::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Container Platform 4.20",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift:4.21::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Container Platform 4.21",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:podman_desktop:1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of Podman Desktop",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_fuse:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Fuse 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_portal:2"
                ],
                "defaultStatus": "affected",
                "product": "Self-service automation portal 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_ai"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat OpenShift AI (RHOAI)",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-05-07T03:47:51.140Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in xmldom and @xmldom/xmldom, a JavaScript library for parsing and serializing XML. This vulnerability allows an attacker to inject arbitrary XML markup into a document due to improper handling of DocumentType node fields during serialization. By crafting malicious input, an attacker can cause the XML serializer to prematurely terminate the DOCTYPE declaration, enabling the insertion of unauthorized content. This could lead to information disclosure or, in certain configurations, the execution of arbitrary code."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-91",
                    "description": "XML Injection (aka Blind XPath Injection)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:08:46.303Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-41674"
              },
              {
                "name": "RHBZ#2467620",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467620"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-41674.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:21338"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:26234"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:21703"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:20034"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:21338: Red Hat Developer Hub 1.8"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:26234: Red Hat Developer Hub 1.9"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:21703: Red Hat OpenShift Container Platform 4.20"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:20034: Red Hat OpenShift Container Platform 4.21"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-05-07T05:01:25.803Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-05-07T03:47:51.140Z",
                "value": "Made public."
              }
            ],
            "title": "xmldom: xmldom: Arbitrary XML markup injection",
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xmldom",
              "vendor": "xmldom",
              "versions": [
                {
                  "status": "affected",
                  "version": "xmldom \u003c= 0.6.0"
                },
                {
                  "status": "affected",
                  "version": "@xmldom/xmldom \u003e= 0.9.0, \u003c 0.9.10"
                },
                {
                  "status": "affected",
                  "version": "@xmldom/xmldom \u003c 0.8.13"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package serializes DocumentType node fields (internalSubset, publicId, systemId) verbatim without any escaping or validation. When these fields are set programmatically to attacker-controlled strings, XMLSerializer.serializeToString can produce output where the DOCTYPE declaration is terminated early and arbitrary markup appears outside it. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-91",
                  "description": "CWE-91: XML Injection (aka Blind XPath Injection)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-07T03:47:51.140Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h"
            },
            {
              "name": "https://github.com/xmldom/xmldom/commit/372008f9ae0e20fd69f761c7b79e202598267314",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/commit/372008f9ae0e20fd69f761c7b79e202598267314"
            },
            {
              "name": "https://github.com/xmldom/xmldom/releases/tag/0.8.13",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/releases/tag/0.8.13"
            },
            {
              "name": "https://github.com/xmldom/xmldom/releases/tag/0.9.10",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/releases/tag/0.9.10"
            }
          ],
          "source": {
            "advisory": "GHSA-f6ww-3ggp-fr8h",
            "discovery": "UNKNOWN"
          },
          "title": "xmldom: XML injection through unvalidated DocumentType serialization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-41674",
        "datePublished": "2026-05-07T03:47:51.140Z",
        "dateReserved": "2026-04-22T03:53:24.405Z",
        "dateUpdated": "2026-06-30T12:08:46.303Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-41673 (GCVE-0-2026-41673)

    Vulnerability from cvelistv5 – Published: 2026-05-07 03:40 – Updated: 2026-07-01 12:04
    VLAI
    Title
    xmldom: Denial of service via uncontrolled recursion in XML serialization
    Summary
    xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, seven recursive traversals in lib/dom.js operate without a depth limit. A sufficiently deeply nested DOM tree causes a RangeError: Maximum call stack size exceeded, crashing the application. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-674 - Uncontrolled Recursion
    • CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
    Assigner
    Impacted products
    Vendor Product Version
    xmldom xmldom Affected: xmldom <= 0.6.0
    Affected: @xmldom/xmldom >= 0.9.0, < 0.9.10
    Affected: @xmldom/xmldom < 0.8.13
    Create a notification for this product.
    Red Hat Red Hat Developer Hub 1.9     cpe:/a:redhat:rhdh:1.9::el9
    Create a notification for this product.
    Red Hat Red Hat Build of Podman Desktop     cpe:/a:redhat:podman_desktop:1
    Create a notification for this product.
    Red Hat Red Hat Fuse 7     cpe:/a:redhat:jboss_fuse:7
    Create a notification for this product.
    Red Hat Self-service automation portal 2     cpe:/a:redhat:ansible_portal:2
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8     cpe:/o:redhat:enterprise_linux:8
    Create a notification for this product.
    Red Hat Red Hat OpenShift AI (RHOAI)     cpe:/a:redhat:openshift_ai
    Create a notification for this product.
    Red Hat Red Hat OpenShift Container Platform 4     cpe:/a:redhat:openshift:4
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-41673",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-07T14:08:40.798873Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-07T14:10:45.986Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:rhdh:1.9::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Developer Hub 1.9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:podman_desktop:1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of Podman Desktop",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_fuse:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Fuse 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_portal:2"
                ],
                "defaultStatus": "affected",
                "product": "Self-service automation portal 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:8"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_ai"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat OpenShift AI (RHOAI)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift:4"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat OpenShift Container Platform 4",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-05-07T03:40:28.378Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in the `xmldom` library, a JavaScript module for parsing XML documents. An attacker could exploit this vulnerability by providing a specially crafted, deeply nested XML document. This could lead to a Denial of Service (DoS) by causing the application to crash due to excessive recursion."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-776",
                    "description": "Improper Restriction of Recursive Entity References in DTDs (\u0027XML Entity Expansion\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-01T12:04:43.236Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-41673"
              },
              {
                "name": "RHBZ#2467630",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467630"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-41673.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:26234"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:26234: Red Hat Developer Hub 1.9"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-05-07T05:02:01.500Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-05-07T03:40:28.378Z",
                "value": "Made public."
              }
            ],
            "title": "@xmldom/xmldom: xmldom: xmldom: Denial of Service via deeply nested XML documents",
            "workarounds": [
              {
                "lang": "en",
                "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xmldom",
              "vendor": "xmldom",
              "versions": [
                {
                  "status": "affected",
                  "version": "xmldom \u003c= 0.6.0"
                },
                {
                  "status": "affected",
                  "version": "@xmldom/xmldom \u003e= 0.9.0, \u003c 0.9.10"
                },
                {
                  "status": "affected",
                  "version": "@xmldom/xmldom \u003c 0.8.13"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, seven recursive traversals in lib/dom.js operate without a depth limit. A sufficiently deeply nested DOM tree causes a RangeError: Maximum call stack size exceeded, crashing the application. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-674",
                  "description": "CWE-674: Uncontrolled Recursion",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-07T03:40:28.378Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw"
            },
            {
              "name": "https://github.com/xmldom/xmldom/commit/17678a2a73ecbd1a2da90f3d47dc23da9cef81aa",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/commit/17678a2a73ecbd1a2da90f3d47dc23da9cef81aa"
            },
            {
              "name": "https://github.com/xmldom/xmldom/commit/291257493cb0eb6980eda83b162a9c4e6d7d2597",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/commit/291257493cb0eb6980eda83b162a9c4e6d7d2597"
            },
            {
              "name": "https://github.com/xmldom/xmldom/commit/2d6d6916ed8a4c223db1f6d7560ab4544c465b0f",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/commit/2d6d6916ed8a4c223db1f6d7560ab4544c465b0f"
            },
            {
              "name": "https://github.com/xmldom/xmldom/commit/430357c7b6333108856e917bf2367afe5ceb6f8a",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/commit/430357c7b6333108856e917bf2367afe5ceb6f8a"
            },
            {
              "name": "https://github.com/xmldom/xmldom/commit/4845ef109221df0890825de2822fbe77afba3afe",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/commit/4845ef109221df0890825de2822fbe77afba3afe"
            },
            {
              "name": "https://github.com/xmldom/xmldom/commit/8834218c85ac2a4d757b9587c9028e67c2f7b6c3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/commit/8834218c85ac2a4d757b9587c9028e67c2f7b6c3"
            },
            {
              "name": "https://github.com/xmldom/xmldom/commit/8b7cfd1491314abdc347261921d7334ff15f7112",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/commit/8b7cfd1491314abdc347261921d7334ff15f7112"
            },
            {
              "name": "https://github.com/xmldom/xmldom/commit/b0620383abc1df067f3ce1014c43ae1bc1161eeb",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/commit/b0620383abc1df067f3ce1014c43ae1bc1161eeb"
            },
            {
              "name": "https://github.com/xmldom/xmldom/commit/e6edcab6bef5bcdba0b220bb35442aa72f452b84",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/commit/e6edcab6bef5bcdba0b220bb35442aa72f452b84"
            },
            {
              "name": "https://github.com/xmldom/xmldom/releases/tag/0.8.13",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/releases/tag/0.8.13"
            },
            {
              "name": "https://github.com/xmldom/xmldom/releases/tag/0.9.10",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/releases/tag/0.9.10"
            }
          ],
          "source": {
            "advisory": "GHSA-2v35-w6hq-6mfw",
            "discovery": "UNKNOWN"
          },
          "title": "xmldom: Denial of service via uncontrolled recursion in XML serialization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-41673",
        "datePublished": "2026-05-07T03:40:28.378Z",
        "dateReserved": "2026-04-22T03:53:24.405Z",
        "dateUpdated": "2026-07-01T12:04:43.236Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-41672 (GCVE-0-2026-41672)

    Vulnerability from cvelistv5 – Published: 2026-05-07 03:36 – Updated: 2026-06-30 12:08
    VLAI
    Title
    xmldom: XML node injection through unvalidated comment serialization
    Summary
    xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled comment content to be serialized into XML without validating or neutralizing comment-breaking sequences. As a result, an attacker can terminate the comment early and inject arbitrary XML nodes into the serialized output. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-91 - XML Injection (aka Blind XPath Injection)
    Assigner
    Impacted products
    Vendor Product Version
    xmldom xmldom Affected: xmldom <= 0.6.0
    Affected: @xmldom/xmldom >= 0.9.0, < 0.9.10
    Affected: @xmldom/xmldom < 0.8.13
    Create a notification for this product.
    Red Hat Red Hat Developer Hub 1.9     cpe:/a:redhat:rhdh:1.9::el9
    Create a notification for this product.
    Red Hat Red Hat Build of Podman Desktop     cpe:/a:redhat:podman_desktop:1
    Create a notification for this product.
    Red Hat Red Hat Fuse 7     cpe:/a:redhat:jboss_fuse:7
    Create a notification for this product.
    Red Hat Red Hat OpenShift Container Platform 4     cpe:/a:redhat:openshift:4
    Create a notification for this product.
    Red Hat Self-service automation portal 2     cpe:/a:redhat:ansible_portal:2
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8     cpe:/o:redhat:enterprise_linux:8
    Create a notification for this product.
    Red Hat Red Hat OpenShift AI (RHOAI)     cpe:/a:redhat:openshift_ai
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-41672",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-07T14:11:04.312092Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-07T14:58:08.512Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:rhdh:1.9::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Developer Hub 1.9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:podman_desktop:1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of Podman Desktop",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_fuse:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Fuse 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift:4"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Container Platform 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_portal:2"
                ],
                "defaultStatus": "affected",
                "product": "Self-service automation portal 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:8"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_ai"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat OpenShift AI (RHOAI)",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-05-07T03:36:16.914Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in xmldom and @xmldom/xmldom, a JavaScript module for parsing and serializing XML. This vulnerability allows an attacker to inject malicious content into XML comments. By doing so, the attacker can prematurely close a comment and insert unauthorized XML elements into the final output. This could lead to the manipulation of data within the XML document."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-91",
                    "description": "XML Injection (aka Blind XPath Injection)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:08:46.592Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-41672"
              },
              {
                "name": "RHBZ#2467631",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467631"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-41672.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:26234"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:26234: Red Hat Developer Hub 1.9"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-05-07T05:02:05.372Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-05-07T03:36:16.914Z",
                "value": "Made public."
              }
            ],
            "title": "xmldom: @xmldom/xmldom: xmldom: Arbitrary XML Node Injection",
            "workarounds": [
              {
                "lang": "en",
                "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xmldom",
              "vendor": "xmldom",
              "versions": [
                {
                  "status": "affected",
                  "version": "xmldom \u003c= 0.6.0"
                },
                {
                  "status": "affected",
                  "version": "@xmldom/xmldom \u003e= 0.9.0, \u003c 0.9.10"
                },
                {
                  "status": "affected",
                  "version": "@xmldom/xmldom \u003c 0.8.13"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled comment content to be serialized into XML without validating or neutralizing comment-breaking sequences. As a result, an attacker can terminate the comment early and inject arbitrary XML nodes into the serialized output. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-91",
                  "description": "CWE-91: XML Injection (aka Blind XPath Injection)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-07T03:36:16.914Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8"
            },
            {
              "name": "https://github.com/xmldom/xmldom/pull/987",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/pull/987"
            },
            {
              "name": "https://github.com/xmldom/xmldom/commit/b397540889086da868c30c366ad5c220d1a750c7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/commit/b397540889086da868c30c366ad5c220d1a750c7"
            },
            {
              "name": "https://github.com/xmldom/xmldom/commit/fda7cc313de30243fea35cada64e0bb12099c2a1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/commit/fda7cc313de30243fea35cada64e0bb12099c2a1"
            },
            {
              "name": "https://github.com/xmldom/xmldom/releases/tag/0.8.13",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/releases/tag/0.8.13"
            },
            {
              "name": "https://github.com/xmldom/xmldom/releases/tag/0.9.10",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/releases/tag/0.9.10"
            }
          ],
          "source": {
            "advisory": "GHSA-j759-j44w-7fr8",
            "discovery": "UNKNOWN"
          },
          "title": "xmldom: XML node injection through unvalidated comment serialization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-41672",
        "datePublished": "2026-05-07T03:36:16.914Z",
        "dateReserved": "2026-04-22T03:53:24.405Z",
        "dateUpdated": "2026-06-30T12:08:46.592Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-34601 (GCVE-0-2026-34601)

    Vulnerability from cvelistv5 – Published: 2026-04-02 17:47 – Updated: 2026-06-30 12:09
    VLAI
    Title
    xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion
    Summary
    xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In xmldom versions 0.6.0 and prior and @xmldom/xmldom prior to versions 0.8.12 and 0.9.9, xmldom/xmldom allows attacker-controlled strings containing the CDATA terminator ]]> to be inserted into a CDATASection node. During serialization, XMLSerializer emitted the CDATA content verbatim without rejecting or safely splitting the terminator. As a result, data intended to remain text-only became active XML markup in the serialized output, enabling XML structure injection and downstream business-logic manipulation. This issue has been patched in xmldom version 0.6.0 and @xmldom/xmldom versions 0.8.12 and 0.9.9.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-91 - XML Injection (aka Blind XPath Injection)
    Assigner
    Impacted products
    Vendor Product Version
    xmldom xmldom Affected: xmldom <= 0.6.0
    Affected: @xmldom/xmldom < 0.8.12
    Affected: @xmldom/xmldom >= 0.9.0, < 0.9.9
    Create a notification for this product.
    Red Hat Migration Toolkit for Applications 8     cpe:/a:redhat:migration_toolkit_applications:8
    Create a notification for this product.
    Red Hat Red Hat Build of Podman Desktop     cpe:/a:redhat:podman_desktop:1
    Create a notification for this product.
    Red Hat Red Hat Developer Hub     cpe:/a:redhat:rhdh:1
    Create a notification for this product.
    Red Hat Red Hat Fuse 7     cpe:/a:redhat:jboss_fuse:7
    Create a notification for this product.
    Red Hat Red Hat OpenShift AI (RHOAI)     cpe:/a:redhat:openshift_ai
    Create a notification for this product.
    Red Hat Red Hat OpenShift Container Platform 4     cpe:/a:redhat:openshift:4
    Create a notification for this product.
    Red Hat Red Hat OpenShift Dev Spaces     cpe:/a:redhat:openshift_devspaces:3
    Create a notification for this product.
    Red Hat Self-service automation portal 2     cpe:/a:redhat:ansible_portal:2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-34601",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-03T16:02:29.353065Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-03T16:03:21.485Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-wh4c-j3r5-mjhp"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:migration_toolkit_applications:8"
                ],
                "defaultStatus": "unaffected",
                "product": "Migration Toolkit for Applications 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:podman_desktop:1"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Build of Podman Desktop",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhdh:1"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Developer Hub",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_fuse:7"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Fuse 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_ai"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat OpenShift AI (RHOAI)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift:4"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat OpenShift Container Platform 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_devspaces:3"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat OpenShift Dev Spaces",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_portal:2"
                ],
                "defaultStatus": "unaffected",
                "product": "Self-service automation portal 2",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-04-02T17:47:13.209Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in xmldom. A remote attacker can exploit this by inserting specific character sequences, known as the CDATA (Character Data) terminator ]]\u003e, into a CDATASection node. When the XML is serialized, these sequences are not properly handled, allowing them to be interpreted as active XML markup. This vulnerability enables XML structure injection, which could lead to manipulation of the XML data and affect business logic."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-91",
                    "description": "XML Injection (aka Blind XPath Injection)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:09:11.332Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-34601"
              },
              {
                "name": "RHBZ#2454595",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454595"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-34601.json"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-04-02T19:03:40.667Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-04-02T17:47:13.209Z",
                "value": "Made public."
              }
            ],
            "title": "xmldom: xmldom: XML structure injection via CDATA terminator",
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xmldom",
              "vendor": "xmldom",
              "versions": [
                {
                  "status": "affected",
                  "version": "xmldom \u003c= 0.6.0"
                },
                {
                  "status": "affected",
                  "version": "@xmldom/xmldom \u003c 0.8.12"
                },
                {
                  "status": "affected",
                  "version": "@xmldom/xmldom \u003e= 0.9.0, \u003c 0.9.9"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In xmldom versions 0.6.0 and prior and @xmldom/xmldom prior to versions 0.8.12 and 0.9.9, xmldom/xmldom allows attacker-controlled strings containing the CDATA terminator ]]\u003e to be inserted into a CDATASection node. During serialization, XMLSerializer emitted the CDATA content verbatim without rejecting or safely splitting the terminator. As a result, data intended to remain text-only became active XML markup in the serialized output, enabling XML structure injection and downstream business-logic manipulation. This issue has been patched in xmldom version 0.6.0 and @xmldom/xmldom versions 0.8.12 and 0.9.9."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-91",
                  "description": "CWE-91: XML Injection (aka Blind XPath Injection)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-02T17:47:13.209Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xmldom/xmldom/security/advisories/GHSA-wh4c-j3r5-mjhp",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-wh4c-j3r5-mjhp"
            },
            {
              "name": "https://github.com/xmldom/xmldom/commit/2b852e836ab86dbbd6cbaf0537f584dd0b5ac184",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/commit/2b852e836ab86dbbd6cbaf0537f584dd0b5ac184"
            },
            {
              "name": "https://github.com/xmldom/xmldom/releases/tag/0.8.12",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/releases/tag/0.8.12"
            },
            {
              "name": "https://github.com/xmldom/xmldom/releases/tag/0.9.9",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/releases/tag/0.9.9"
            }
          ],
          "source": {
            "advisory": "GHSA-wh4c-j3r5-mjhp",
            "discovery": "UNKNOWN"
          },
          "title": "xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-34601",
        "datePublished": "2026-04-02T17:47:13.209Z",
        "dateReserved": "2026-03-30T17:15:52.500Z",
        "dateUpdated": "2026-06-30T12:09:11.332Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-39353 (GCVE-0-2022-39353)

    Vulnerability from cvelistv5 – Published: 2022-11-02 00:00 – Updated: 2025-04-22 17:16
    VLAI
    Title
    xmldom allows multiple root nodes in a DOM
    Summary
    xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the `childNodes` collection of the `Document`, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to issuance of CVE-2022-39299 as it is a potential issue for dependents. Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next). As a workaround, please one of the following approaches depending on your use case: instead of searching for elements in the whole DOM, only search in the `documentElement`or reject a document with a document that has more then 1 `childNode`.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    • CWE-1288 - Improper Validation of Consistency within Input
    Assigner
    Impacted products
    Vendor Product Version
    xmldom xmldom Affected: <= 0.6.0
    Affected: < 0.7.7
    Affected: >= 0.8.0, < 0.8.4
    Affected: >= 0.9.0-beta.1, < 0.9.0-beta.4
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T12:00:44.144Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/jindw/xmldom/issues/150"
              },
              {
                "name": "[debian-lts-announce] 20230101 [SECURITY] [DLA 3260-1] node-xmldom security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00000.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-39353",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-22T15:39:20.618073Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-22T17:16:38.092Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xmldom",
              "vendor": "xmldom",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c= 0.6.0"
                },
                {
                  "status": "affected",
                  "version": "\u003c 0.7.7"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 0.8.0, \u003c 0.8.4"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 0.9.0-beta.1, \u003c 0.9.0-beta.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the `childNodes` collection of the `Document`, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to issuance of CVE-2022-39299 as it is a potential issue for dependents. Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@\u003e=0.9.0-beta.4 (dist-tag next). As a workaround, please one of the following approaches depending on your use case: instead of searching for elements in the whole DOM, only search in the `documentElement`or reject a document with a document that has more then 1 `childNode`."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.4,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20: Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-1288",
                  "description": "CWE-1288: Improper Validation of Consistency within Input",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-01-01T00:00:00.000Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883"
            },
            {
              "url": "https://github.com/jindw/xmldom/issues/150"
            },
            {
              "name": "[debian-lts-announce] 20230101 [SECURITY] [DLA 3260-1] node-xmldom security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00000.html"
            }
          ],
          "source": {
            "advisory": "GHSA-crh6-fp67-6883",
            "discovery": "UNKNOWN"
          },
          "title": "xmldom allows multiple root nodes in a DOM"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2022-39353",
        "datePublished": "2022-11-02T00:00:00.000Z",
        "dateReserved": "2022-09-02T00:00:00.000Z",
        "dateUpdated": "2025-04-22T17:16:38.092Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-32796 (GCVE-0-2021-32796)

    Vulnerability from cvelistv5 – Published: 2021-07-27 21:45 – Updated: 2024-08-03 23:33
    VLAI
    Title
    Misinterpretation of malicious XML input in xmldom
    Summary
    xmldom is an open source pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This issue has been resolved in version 0.7.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents.
    CWE
    • CWE-116 - Improper Encoding or Escaping of Output
    Assigner
    Impacted products
    Vendor Product Version
    xmldom xmldom Affected: < 0.7.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T23:33:55.989Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-5fg8-2547-mr8q"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/xmldom/xmldom/commit/7b4b743917a892d407356e055b296dcd6d107e8b"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xmldom",
              "vendor": "xmldom",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.7.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "xmldom is an open source pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This issue has been resolved in version 0.7.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-116",
                  "description": "CWE-116: Improper Encoding or Escaping of Output",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-07-27T21:45:12.000Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-5fg8-2547-mr8q"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xmldom/xmldom/commit/7b4b743917a892d407356e055b296dcd6d107e8b"
            }
          ],
          "source": {
            "advisory": "GHSA-5fg8-2547-mr8q",
            "discovery": "UNKNOWN"
          },
          "title": "Misinterpretation of malicious XML input in xmldom",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security-advisories@github.com",
              "ID": "CVE-2021-32796",
              "STATE": "PUBLIC",
              "TITLE": "Misinterpretation of malicious XML input in xmldom"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "xmldom",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c 0.7.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "xmldom"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "xmldom is an open source pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This issue has been resolved in version 0.7.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-116: Improper Encoding or Escaping of Output"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/",
                  "refsource": "MISC",
                  "url": "https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/"
                },
                {
                  "name": "https://github.com/xmldom/xmldom/security/advisories/GHSA-5fg8-2547-mr8q",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-5fg8-2547-mr8q"
                },
                {
                  "name": "https://github.com/xmldom/xmldom/commit/7b4b743917a892d407356e055b296dcd6d107e8b",
                  "refsource": "MISC",
                  "url": "https://github.com/xmldom/xmldom/commit/7b4b743917a892d407356e055b296dcd6d107e8b"
                }
              ]
            },
            "source": {
              "advisory": "GHSA-5fg8-2547-mr8q",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2021-32796",
        "datePublished": "2021-07-27T21:45:13.000Z",
        "dateReserved": "2021-05-12T00:00:00.000Z",
        "dateUpdated": "2024-08-03T23:33:55.989Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-21366 (GCVE-0-2021-21366)

    Vulnerability from cvelistv5 – Published: 2021-03-12 00:00 – Updated: 2024-08-03 18:09
    VLAI
    Title
    Misinterpretation of malicious XML input
    Summary
    xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This is fixed in version 0.5.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents.
    CWE
    • CWE-436 - Interpretation Conflict
    • CWE-115 - Misinterpretation of Input
    Assigner
    Impacted products
    Vendor Product Version
    xmldom xmldom Affected: < 0.5.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T18:09:16.000Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-h6q6-9hqw-rwfv"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.npmjs.com/package/xmldom"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/xmldom/xmldom/releases/tag/0.5.0"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/xmldom/xmldom/commit/d4201b9dfbf760049f457f9f08a3888d48835135"
              },
              {
                "name": "[debian-lts-announce] 20230101 [SECURITY] [DLA 3260-1] node-xmldom security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00000.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xmldom",
              "vendor": "xmldom",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.5.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This is fixed in version 0.5.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-436",
                  "description": "CWE-436 Interpretation Conflict",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-115",
                  "description": "CWE-115: Misinterpretation of Input",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-01-01T00:00:00.000Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-h6q6-9hqw-rwfv"
            },
            {
              "url": "https://www.npmjs.com/package/xmldom"
            },
            {
              "url": "https://github.com/xmldom/xmldom/releases/tag/0.5.0"
            },
            {
              "url": "https://github.com/xmldom/xmldom/commit/d4201b9dfbf760049f457f9f08a3888d48835135"
            },
            {
              "name": "[debian-lts-announce] 20230101 [SECURITY] [DLA 3260-1] node-xmldom security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00000.html"
            }
          ],
          "source": {
            "advisory": "GHSA-h6q6-9hqw-rwfv",
            "discovery": "UNKNOWN"
          },
          "title": "Misinterpretation of malicious XML input"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2021-21366",
        "datePublished": "2021-03-12T00:00:00.000Z",
        "dateReserved": "2020-12-22T00:00:00.000Z",
        "dateUpdated": "2024-08-03T18:09:16.000Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }