CVE-2026-41675

Name of the Vulnerable Software and Affected Versions @xmldom/xmldom versions prior to 0.8.13 @xmldom/xmldom versions prior to 0.9.10 xmldom versions 0.6.0 and earlier

Description The software allows attacker-controlled processing instruction (PI) data to be serialized into XML without validating or neutralizing the PI-closing sequence ?>. This occurs because the createProcessingInstruction() function stores the data variable directly without validation, and the serializer subsequently concatenates this data verbatim. An attacker can use the ?> sequence to terminate the processing instruction prematurely and inject arbitrary XML nodes into the serialized output, potentially altering the structure and meaning of the generated XML documents.

Recommendations For @xmldom/xmldom versions prior to 0.8.13 and 0.9.10, update to version 0.8.13 or 0.9.10 and explicitly pass the { requireWellFormed: true } option to the serializeToString() function to enable validation that prevents the injection of ?> sequences. For xmldom versions 0.6.0 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.