CVE-2026-41674
Description
xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package serializes DocumentType node fields (internalSubset, publicId, systemId) verbatim without any escaping or validation. When these fields are set programmatically to attacker-controlled strings, XMLSerializer.serializeToString can produce output where the DOCTYPE declaration is terminated early and arbitrary markup appears outside it. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@xmldom/xmldomnpm | < 0.8.13 | 0.8.13 |
@xmldom/xmldomnpm | >= 0.9.0, < 0.9.10 | 0.9.10 |
xmldomnpm | <= 0.6.0 | — |
Affected products
11- osv-coords11 versionspkg:apk/chainguard/actions-runnerpkg:apk/chainguard/arangodb-3.11pkg:apk/chainguard/librechatpkg:apk/chainguard/npmpkg:apk/chainguard/safpkg:apk/chainguard/sqlpadpkg:apk/wolfi/npmpkg:apk/wolfi/safpkg:apk/wolfi/sqlpadpkg:npm/%40xmldom/xmldompkg:npm/xmldom
< 2.334.0-r1+ 10 more
- (no CPE)range: < 2.334.0-r1
- (no CPE)range: < 3.11.14.3-r6
- (no CPE)range: < 0.8.4-r6
- (no CPE)range: < 11.13.0-r1
- (no CPE)range: < 1.6.0-r0
- (no CPE)range: < 7.5.7-r18
- (no CPE)range: < 11.13.0-r1
- (no CPE)range: < 1.6.0-r0
- (no CPE)range: < 7.5.7-r18
- (no CPE)range: < 0.8.13
- (no CPE)range: <= 0.6.0
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-f6ww-3ggp-fr8hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-41674ghsaADVISORY
- github.com/xmldom/xmldom/commit/372008f9ae0e20fd69f761c7b79e202598267314nvdWEB
- github.com/xmldom/xmldom/releases/tag/0.8.13nvdWEB
- github.com/xmldom/xmldom/releases/tag/0.9.10nvdWEB
- github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8hnvdWEB
News mentions
1- Patch Tuesday - May 2026Rapid7 Blog · May 13, 2026