CVE-2026-41674

Name of the Vulnerable Software and Affected Versions @xmldom/xmldom versions prior to 0.8.13 @xmldom/xmldom versions prior to 0.9.10 xmldom versions prior to 0.6.0

Description The package serializes DocumentType node fields (internalSubset, publicId, and systemId) verbatim without escaping or validation. When these fields are set programmatically via the createDocumentType() function or direct property writes using attacker-controlled strings, the XMLSerializer.serializeToString method can produce output where the DOCTYPE declaration is terminated prematurely, allowing arbitrary markup to appear outside of it. Specifically, injecting ]> into internalSubset or > into systemId can close the DOCTYPE early, while manipulating publicId can break the quoting context to inject fake SYSTEM entries. This can lead to XXE-class attacks if downstream XML parsers re-parse the output with entity expansion enabled.

Recommendations Update @xmldom/xmldom to versions 0.8.13 or 0.9.10. Update xmldom to a version later than 0.6.0. As a mitigation, pass the { requireWellFormed: true } option to the serializeToString() method to enable validation of DocumentType fields and throw an InvalidStateError upon detecting injection sequences.