Platform
nodejs
Component
xmldom
Fixed in
0.6.1
0.8.13
0.9.1
0.6.1
CVE-2026-34601 is a high-severity vulnerability affecting versions of the @xmldom/xmldom library up to 0.6.0. This vulnerability allows attackers to inject active XML markup into serialized output by exploiting improper handling of CDATA terminators. Successful exploitation can lead to business-logic manipulation and potential compromise of applications relying on this library. The vulnerability was published on 2026-04-01, and a fix is expected in a future release.
The core of this vulnerability lies in the @xmldom/xmldom library's handling of CDATA sections during XML serialization. The library fails to properly reject or safely split the ]]> terminator sequence when it appears within CDATA content. An attacker can craft malicious input containing this sequence, which, when processed by the library, results in the terminator being emitted verbatim in the serialized XML output. This effectively transforms data intended to be treated as plain text into active XML markup. This injected markup can then be leveraged to manipulate the structure and behavior of the XML document, potentially leading to business-logic manipulation, data exfiltration, or even remote code execution if the downstream application processes the manipulated XML without proper validation. The impact is particularly severe in applications that rely on the integrity of XML data for critical operations.
CVE-2026-34601 is currently not listed on the CISA KEV catalog. The EPSS score is pending evaluation. Public proof-of-concept (PoC) code is not yet available, but the vulnerability's nature suggests that PoCs are likely to emerge as developers become aware of the issue. The vulnerability was disclosed on 2026-04-01.
Exploit Status
EPSS
0.05% (17% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34601 is to upgrade to a patched version of the @xmldom/xmldom library. Unfortunately, a fixed version is not yet available. Until a patch is released, consider implementing input validation to sanitize XML data before it is processed by the library. Specifically, look for and remove or escape the ]]> sequence within CDATA sections. Web application firewalls (WAFs) configured to inspect XML payloads can also provide a layer of defense by blocking requests containing malicious CDATA terminators. Monitor application logs for unusual XML serialization patterns that might indicate exploitation attempts. After upgrading to a patched version, confirm the fix by attempting to serialize a malicious XML document containing the ]]> sequence and verifying that the terminator is properly handled and does not result in active XML markup.
Update the xmldom library to version 0.6.0 or higher, or to versions 0.8.12 or 0.9.9 or higher, as appropriate, to fix the XML injection vulnerability. This will prevent attacker-controlled strings from being inserted into CDATASection nodes and interpreted as active XML markup.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34601 is a high-severity vulnerability in the @xmldom/xmldom library affecting versions up to 0.6.0. It allows attackers to inject active XML markup through improper handling of CDATA terminators, potentially leading to business-logic manipulation.
If you are using @xmldom/xmldom version 0.6.0 or earlier in your Node.js application, you are potentially affected by this vulnerability. Assess your dependencies immediately.
Upgrade to a patched version of @xmldom/xmldom as soon as it becomes available. Until then, implement input validation to sanitize XML data and consider using a WAF.
While no active exploitation has been confirmed, the vulnerability's nature suggests that exploitation is likely as developers become aware of the issue. Monitor your systems closely.
Refer to the official @xmldom/xmldom project repository and relevant security mailing lists for updates and advisories regarding CVE-2026-34601.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.