CVE-2026-34601 in xmldomالمعلومات

الملخص

بحسب MITRE • 02/04/2026

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In xmldom versions 0.6.0 and prior and @xmldom/xmldom prior to versions 0.8.12 and 0.9.9, xmldom/xmldom allows attacker-controlled strings containing the CDATA terminator ]]> to be inserted into a CDATASection node. During serialization, XMLSerializer emitted the CDATA content verbatim without rejecting or safely splitting the terminator. As a result, data intended to remain text-only became active XML markup in the serialized output, enabling XML structure injection and downstream business-logic manipulation. This issue has been patched in xmldom version 0.6.0 and @xmldom/xmldom versions 0.8.12 and 0.9.9.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

مسؤول

GitHub M

حجز

30/03/2026

إفشاء

02/04/2026

الاعتدال

تمت الموافقة

إدخال

VDB-354982

CPE

جاهز

CWE

CWE-91 (مؤكد)

CVSS

7.5 (CNA)

EPSS

0.00019

KEV

لا

النشاطات

منخفض جدًا

المصادر

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-34601
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-34601
CVE Details	https://www.cvedetails.com/cve/CVE-2026-34601/

التالي ▸نظرة عامة ◂ السابق

Want to stay up to date on a daily basis?

Enable the mail alert feature now!