CVE-2026-41672

Name of the Vulnerable Software and Affected Versions @xmldom/xmldom versions prior to 0.8.13 @xmldom/xmldom versions prior to 0.9.10 xmldom versions prior to 0.6.0

Description The software allows attacker-controlled comment content to be serialized into XML without validating or neutralizing comment-breaking sequences. This occurs during the DOM construction and serialization flow for comment nodes when the createComment() function is called; the supplied string is stored as-is and later concatenated with XML comment delimiters during serialization. Because XML comments are syntax-sensitive, an attacker can provide input containing a sequence that closes the comment, allowing them to terminate the comment early and inject arbitrary XML nodes into the serialized output. This can enable an attacker to alter the meaning and structure of generated XML documents, affecting workflows that store, forward, sign, or parse the resulting XML, such as configuration or policy documents.

Recommendations For @xmldom/xmldom versions prior to 0.8.13 and 0.9.10, update to version 0.8.13 or 0.9.10 and explicitly pass the { requireWellFormed: true } option to the serializeToString() function to enable protection. For xmldom versions prior to 0.6.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability.