VYPR
High severityNVD Advisory· Published May 7, 2026· Updated May 7, 2026

CVE-2026-41674

CVE-2026-41674

Description

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package serializes DocumentType node fields (internalSubset, publicId, systemId) verbatim without any escaping or validation. When these fields are set programmatically to attacker-controlled strings, XMLSerializer.serializeToString can produce output where the DOCTYPE declaration is terminated early and arbitrary markup appears outside it. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@xmldom/xmldomnpm
< 0.8.130.8.13
@xmldom/xmldomnpm
>= 0.9.0, < 0.9.100.9.10
xmldomnpm
<= 0.6.0

Affected products

11

Patches

Vulnerability mechanics

References

6

News mentions

1