2467620 – (CVE-2026-41674) CVE-2026-41674 xmldom: xmldom: Arbitrary XML markup injection

Bug 2467620 (CVE-2026-41674) - CVE-2026-41674 xmldom: xmldom: Arbitrary XML markup injection

Summary: CVE-2026-41674 xmldom: xmldom: Arbitrary XML markup injection

Keywords:
Status:	NEW
Alias:	CVE-2026-41674
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2477029 2477030 2477031 2477032 2477033 2477034
Blocks:
TreeView+	depends on / blocked

Reported:	2026-05-07 05:01 UTC by OSIDB Bzimport
Modified:	2026-05-13 14:47 UTC (History)
CC List:	25 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-05-07 05:01:49 UTC

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package serializes DocumentType node fields (internalSubset, publicId, systemId) verbatim without any escaping or validation. When these fields are set programmatically to attacker-controlled strings, XMLSerializer.serializeToString can produce output where the DOCTYPE declaration is terminated early and arbitrary markup appears outside it. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.

Note You need to log in before you can comment on or make changes to this bug.

abarbaro
alizardo
cdrage
dschmidt
erezende
gmalinko
janstey
jchui
jhe
jkoehler
jlanda
kshier
ktsao
lphiri
nboldt
oaljalju
pdelbell
psrna
rstepani
rushinde
simaishi
smcdonal
stcannon
teagle
yguenane