CVE-2026-34601
Published: 02 April 2026
Summary
CVE-2026-34601 is a high-severity aka Blind XPath Injection (CWE-91) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely patching of the vulnerable xmldom library versions to remediate the CDATA terminator mishandling flaw.
Validates attacker-controlled input strings to the XML parser to block insertion of CDATA terminators enabling XML structure injection.
Filters serialized XML output to prevent unhandled CDATA terminators from transforming text into active XML markup.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote, unauthenticated XML structure injection in a widely-used JavaScript library, directly enabling exploitation of public-facing applications that process or serialize XML using the affected xmldom module.
NVD Description
xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In xmldom versions 0.6.0 and prior and @xmldom/xmldom prior to versions 0.8.12 and 0.9.9, xmldom/xmldom allows attacker-controlled strings containing the CDATA terminator ]]> to…
more
be inserted into a CDATASection node. During serialization, XMLSerializer emitted the CDATA content verbatim without rejecting or safely splitting the terminator. As a result, data intended to remain text-only became active XML markup in the serialized output, enabling XML structure injection and downstream business-logic manipulation. This issue has been patched in xmldom version 0.6.0 and @xmldom/xmldom versions 0.8.12 and 0.9.9.
Deeper analysisAI
CVE-2026-34601 affects the xmldom JavaScript module, a pure JavaScript implementation of W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer. The vulnerability exists in xmldom versions 0.6.0 and prior, as well as @xmldom/xmldom versions prior to 0.8.12 and 0.9.9. It stems from the ability to insert attacker-controlled strings containing the CDATA terminator "]]>" into a CDATASection node, which the XMLSerializer then emits verbatim during serialization without rejection or safe splitting. This transforms intended text-only data into active XML markup, enabling XML structure injection (CWE-91).
Remote attackers require no privileges or user interaction to exploit this over the network with low complexity, as indicated by the CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). By supplying a malicious string with the CDATA terminator, an attacker can inject arbitrary XML structures into the serialized output, potentially manipulating downstream business logic in applications that parse or process the resulting XML.
The GitHub security advisory (GHSA-wh4c-j3r5-mjhp) and related patch commits detail mitigation through upgrades: xmldom to version 0.6.0, @xmldom/xmldom to 0.8.12 or 0.9.9. Specific fixes are available in commit 2b852e836ab86dbbd6cbaf0537f584dd0b5ac184 and the corresponding release tags.
Details
- CWE(s)