{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34601", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T17:15:52.500Z", "datePublished": "2026-04-02T17:47:13.209Z", "dateUpdated": "2026-04-03T16:03:21.485Z"}, "containers": {"cna": {"title": "xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion", "problemTypes": [{"descriptions": [{"cweId": "CWE-91", "lang": "en", "description": "CWE-91: XML Injection (aka Blind XPath Injection)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/xmldom/xmldom/security/advisories/GHSA-wh4c-j3r5-mjhp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-wh4c-j3r5-mjhp"}, {"name": "https://github.com/xmldom/xmldom/commit/2b852e836ab86dbbd6cbaf0537f584dd0b5ac184", "tags": ["x_refsource_MISC"], "url": "https://github.com/xmldom/xmldom/commit/2b852e836ab86dbbd6cbaf0537f584dd0b5ac184"}, {"name": "https://github.com/xmldom/xmldom/releases/tag/0.8.12", "tags": ["x_refsource_MISC"], "url": "https://github.com/xmldom/xmldom/releases/tag/0.8.12"}, {"name": "https://github.com/xmldom/xmldom/releases/tag/0.9.9", "tags": ["x_refsource_MISC"], "url": "https://github.com/xmldom/xmldom/releases/tag/0.9.9"}], "affected": [{"vendor": "xmldom", "product": "xmldom", "versions": [{"version": "xmldom <= 0.6.0", "status": "affected"}, {"version": "@xmldom/xmldom < 0.8.12", "status": "affected"}, {"version": "@xmldom/xmldom >= 0.9.0, < 0.9.9", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T17:47:13.209Z"}, "descriptions": [{"lang": "en", "value": "xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In xmldom versions 0.6.0 and prior and @xmldom/xmldom prior to versions 0.8.12 and 0.9.9, xmldom/xmldom allows attacker-controlled strings containing the CDATA terminator ]]> to be inserted into a CDATASection node. During serialization, XMLSerializer emitted the CDATA content verbatim without rejecting or safely splitting the terminator. As a result, data intended to remain text-only became active XML markup in the serialized output, enabling XML structure injection and downstream business-logic manipulation. This issue has been patched in xmldom version 0.6.0 and @xmldom/xmldom versions 0.8.12 and 0.9.9."}], "source": {"advisory": "GHSA-wh4c-j3r5-mjhp", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-wh4c-j3r5-mjhp", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T16:02:29.353065Z", "id": "CVE-2026-34601", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T16:03:21.485Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34601", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-03T16:02:29.353065Z"}}}], "references": [{"url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-wh4c-j3r5-mjhp", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T16:03:11.347Z"}}], "cna": {"title": "xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion", "source": {"advisory": "GHSA-wh4c-j3r5-mjhp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "xmldom", "product": "xmldom", "versions": [{"status": "affected", "version": "xmldom <= 0.6.0"}, {"status": "affected", "version": "@xmldom/xmldom < 0.8.12"}, {"status": "affected", "version": "@xmldom/xmldom >= 0.9.0, < 0.9.9"}]}], "references": [{"url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-wh4c-j3r5-mjhp", "name": "https://github.com/xmldom/xmldom/security/advisories/GHSA-wh4c-j3r5-mjhp", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/xmldom/xmldom/commit/2b852e836ab86dbbd6cbaf0537f584dd0b5ac184", "name": "https://github.com/xmldom/xmldom/commit/2b852e836ab86dbbd6cbaf0537f584dd0b5ac184", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/xmldom/xmldom/releases/tag/0.8.12", "name": "https://github.com/xmldom/xmldom/releases/tag/0.8.12", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/xmldom/xmldom/releases/tag/0.9.9", "name": "https://github.com/xmldom/xmldom/releases/tag/0.9.9", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In xmldom versions 0.6.0 and prior and @xmldom/xmldom prior to versions 0.8.12 and 0.9.9, xmldom/xmldom allows attacker-controlled strings containing the CDATA terminator ]]> to be inserted into a CDATASection node. During serialization, XMLSerializer emitted the CDATA content verbatim without rejecting or safely splitting the terminator. As a result, data intended to remain text-only became active XML markup in the serialized output, enabling XML structure injection and downstream business-logic manipulation. This issue has been patched in xmldom version 0.6.0 and @xmldom/xmldom versions 0.8.12 and 0.9.9."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-91", "description": "CWE-91: XML Injection (aka Blind XPath Injection)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T17:47:13.209Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34601", "state": "PUBLISHED", "dateUpdated": "2026-04-03T16:03:21.485Z", "dateReserved": "2026-03-30T17:15:52.500Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-02T17:47:13.209Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In xmldom versions 0.6.0 and prior and @xmldom/xmldom prior to versions 0.8.12 and 0.9.9, xmldom/xmldom allows attacker-controlled strings containing the CDATA terminator ]]> to be inserted into a CDATASection node. During serialization, XMLSerializer emitted the CDATA content verbatim without rejecting or safely splitting the terminator. As a result, data intended to remain text-only became active XML markup in the serialized output, enabling XML structure injection and downstream business-logic manipulation. This issue has been patched in xmldom version 0.6.0 and @xmldom/xmldom versions 0.8.12 and 0.9.9."}], "id": "CVE-2026-34601", "lastModified": "2026-04-03T16:16:40.603", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T18:16:31.933", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/xmldom/xmldom/commit/2b852e836ab86dbbd6cbaf0537f584dd0b5ac184"}, {"source": "security-advisories@github.com", "url": "https://github.com/xmldom/xmldom/releases/tag/0.8.12"}, {"source": "security-advisories@github.com", "url": "https://github.com/xmldom/xmldom/releases/tag/0.9.9"}, {"source": "security-advisories@github.com", "url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-wh4c-j3r5-mjhp"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-wh4c-j3r5-mjhp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-91"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.6.0]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.8.12)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.9.0,0.9.9)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "xmldom", "vendor": "xmldom"}], "analysis": {"en": {"generated_at": "2026-04-02T22:28:39.092020+00:00", "value": {"mitigation_remediation": ["Upgrade xmldom to version 0.6.0 or later and @xmldom/xmldom to version 0.8.12 or 0.9.9 or later.", "If an immediate upgrade is not feasible, avoid using CDATA sections that contain user data; sanitize any occurrence of the string `]]>` before serialization.", "Verify that the application does not rely on unsanitized CDATA content and review code paths that serialize XML with xmldom.", "Monitor the project\u2019s advisory feed and npm registry for updated versions."], "summary": {"action": "Immediate Patch", "impact": "XML Injection"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the xmldom package named xmldom:xmldom. Versions 0.6.0 and older are susceptible, as are the @xmldom/xmldom releases prior to 0.8.12 and 0.9.9. Users of these libraries in Node.js or browser environments that serialize XML content with XMLSerializer must verify whether their code relies on CDATA sections containing user data and upgrade to the patched releases.", "description_and_impact": "xmldom, a pure JavaScript implementation of the W3C XML DOM Level 2 Core, contains a flaw in its CDATASection handling. The XMLSerializer fails to escape or split an attacker\u2011controlled `]]>` terminator inserted into a CDATA section, writing the terminator verbatim and turning the intended text into active XML markup. This permits arbitrary XML structure injection, allowing an attacker to manipulate the serialized document and potentially alter application logic or data transported in the XML.", "risk_and_exploitability": "The advisory lists a CVSS score of 7.5, indicating a high risk and moderate to high impact. EPSS data is not reported and the vulnerability is not in the CISA KEV catalogue, suggesting it is not yet widely attacked. Based on the description, it is inferred that an attacker who can influence the XML content serialized by xmldom can insert a CDATA terminator and thereby cause arbitrary XML markup to be emitted. The likely attack vector is remote if the application accepts untrusted input for serialization, but the exact conditions depend on how the library is used. Successful exploitation could lead to unauthorized manipulation of XML structure and downstream application logic."}}}}, "created": "2026-04-03T08:58:03.300159+00:00", "updated": "2026-04-03T09:17:12.151815+00:00", "vendors": ["xmldom", "xmldom$PRODUCT$xmldom"]}