CVE-2026-34601

Name of the Vulnerable Software and Affected Versions xmldom versions 0.6.0 and prior, and @xmldom/xmldom prior to versions 0.8.12 and 0.9.9

Description The xmldom library contains a flaw where attacker-controlled strings including the CDATA terminator ]]> can be inserted into a CDATASection node. During serialization, the XMLSerializer emits the CDATA content without rejecting or safely splitting the terminator. This allows data intended as text to become active XML markup in the serialized output, enabling XML structure injection and potential manipulation of downstream business logic. The issue affects Document.createCDATASection(data), CharacterData.appendData(), CharacterData.replaceData(), CharacterData.insertData(), and direct assignment to .data or .textContent. Parsing XML containing a CDATA section is not affected. Exploitation can lead to integrity violations of generated XML documents and potential business-logic injection in downstream consumers.

Recommendations Update to xmldom version 0.6.0 or later. Update @xmldom/xmldom to version 0.8.12 or 0.9.9 or later.