CVE-2026-41672
CWE-91Published: May 7, 2026· Updated: May 7, 2026
Official Description
xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled comment content to be serialized into XML without validating or neutralizing comment-breaking sequences. As a result, an attacker can terminate the comment early and inject arbitrary XML nodes into the serialized output. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.
Technical Analysis
CVE-2026-41672 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.
The vulnerability requires no privileges and no user interaction, making it a prime target for automated exploitation campaigns and worm-like propagation.
CVSS v3.1 Vector Breakdown
Exploit & PoC Resources
All References (7)
Quick Facts
Related CVEs (CWE-91)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-41672 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts