@headspinio/appium-roku-driver (>=2.6.1 <=2.7.0), @natlibfi/passport-melinda-aleph (=3.0.3-alpha.1) +2 more potentially affected by CVE-2026-41673 via @xmldom/xmldom (=0.9.0)

@xmldom/xmldom NPM version =0.9.0 is affected by a known vulnerability. The following packages have a transitive dependency on @xmldom/xmldom and may be impacted: - @headspinio/appium-roku-driver =2.6.1, =3.0.0, =1.7.9-beta.3, =1.8.0-beta.2 Source cves: CVE-2026-41673 Source advisory:...

Uncontrolled Recursion

Overview xmldom is an A pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. Affected versions of this package are vulnerable to Uncontrolled Recursion in the recursive processing of deeply nested XML documents by several DOM-related operations, including...

Uncontrolled Recursion

Overview org.webjars.npm:xmldom is an A pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. Affected versions of this package are vulnerable to Uncontrolled Recursion in the recursive processing of deeply nested XML documents by several DOM-related...

xmldom: Uncontrolled recursion in XML serialization leads to DoS

Summary Seven recursive traversals in lib/dom.js operate without a depth limit. A sufficiently deeply nested DOM tree causes a RangeError: Maximum call stack size exceeded, crashing the application. Reported operations: - Node.prototype.normalize — reported by @praveen-kv email 2026-04-05 and...

Uncontrolled Recursion

Overview @xmldom/xmldom is a javascript ponyfill to provide the following APIs that are present in modern browsers to other runtimes. Since version 0.7.0 this package is published to npm as @xmldom/xmldom and no longer as xmldom Affected versions of this package are vulnerable to Uncontrolled...

08cms (=1.0.0), 0uth (>=1.0.5 <=1.2.1) +13068 more potentially affected by CVE-2026-41673 via xmldom (>=0.1.11 <=0.6.0)

xmldom NPM version =0.1.11, =1.0.5, =1.0.0, =1.0.0, =1.7.3, =0.1.0, =0.0.2, =0.0.1, =1.0.2, =1.0.3, =1.0.23, =1.0.1, =1.3.1 and more Source cves: CVE-2026-41673 Source advisory: SNYK:JS-XMLDOM-16134529...

08cms (=1.0.0), 0uth (>=1.0.5 <=1.2.1) +13068 more potentially affected by CVE-2026-41673 via xmldom (>=0.1.11 <=0.6.0)

xmldom NPM version =0.1.11, =1.0.5, =1.0.0, =1.0.0, =1.7.3, =0.1.0, =0.0.2, =0.0.1, =1.0.2, =1.0.3, =1.0.23, =1.0.1, =1.3.1 and more Source cves: CVE-2026-41673 Source advisory: OSV:GHSA-2V35-W6HQ-6MFW...

2c2p-integration (>=0.2.0 <=0.2.2), 2d-game-assets (=0.0.1) +5992 more potentially affected by CVE-2026-41673 via @xmldom/xmldom (>=0.7.0 <=0.8.12)

@xmldom/xmldom NPM version =0.7.0, =0.2.0, =1.0.8, =0.1.3, =0.0.7, =0.3.31, =0.1.3, =1.0.4, =1.0.5 and more Source cves: CVE-2026-41673 Source advisory: OSV:GHSA-2V35-W6HQ-6MFW...

XML Injection

Overview org.webjars.npm:xmldom is an A pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. Affected versions of this package are vulnerable to XML Injection in the serialization of DocumentType nodes when attacker-controlled values are provided to the...

org.webjars.npm:adal-node (=0.1.28), org.webjars.npm:canvg (>=1.5.2 <=1.5.3) +14 more potentially affected by CVE-2026-41674 via org.webjars.npm:xmldom (>=0.1.31 <=0.6.0)

org.webjars.npm:xmldom MAVEN version =0.1.31, =1.5.2, =0.7.2, =0.14.0, =0.11.0, =7.14.0, =2.7.0, =2.9.2 and more Source cves: CVE-2026-41674 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-16134550...

2c2p-integration (>=0.2.0 <=0.2.2), 2d-game-assets (=0.0.1) +5992 more potentially affected by CVE-2026-41674 via @xmldom/xmldom (>=0.7.0 <=0.8.12)

@xmldom/xmldom NPM version =0.7.0, =0.2.0, =1.0.8, =0.1.3, =0.0.7, =0.3.31, =0.1.3, =1.0.4, =1.0.5 and more Source cves: CVE-2026-41674 Source advisory: SNYK:JS-XMLDOMXMLDOM-16134549...

08cms (=1.0.0), 0uth (>=1.0.5 <=1.2.1) +13068 more potentially affected by CVE-2026-41674 via xmldom (>=0.1.11 <=0.6.0)

xmldom NPM version =0.1.11, =1.0.5, =1.0.0, =1.0.0, =1.7.3, =0.1.0, =0.0.2, =0.0.1, =1.0.2, =1.0.3, =1.0.23, =1.0.1, =1.3.1 and more Source cves: CVE-2026-41674 Source advisory: OSV:GHSA-F6WW-3GGP-FR8H...

@headspinio/appium-roku-driver (>=2.6.1 <=2.7.0), @natlibfi/passport-melinda-aleph (=3.0.3-alpha.1) +2 more potentially affected by CVE-2026-41674 via @xmldom/xmldom (=0.9.0)

@xmldom/xmldom NPM version =0.9.0 is affected by a known vulnerability. The following packages have a transitive dependency on @xmldom/xmldom and may be impacted: - @headspinio/appium-roku-driver =2.6.1, =3.0.0, =1.7.9-beta.3, =1.8.0-beta.2 Source cves: CVE-2026-41674 Source advisory:...

2c2p-integration (>=0.2.0 <=0.2.2), 2d-game-assets (=0.0.1) +5992 more potentially affected by CVE-2026-41674 via @xmldom/xmldom (>=0.7.0 <=0.8.12)

@xmldom/xmldom NPM version =0.7.0, =0.2.0, =1.0.8, =0.1.3, =0.0.7, =0.3.31, =0.1.3, =1.0.4, =1.0.5 and more Source cves: CVE-2026-41674 Source advisory: OSV:GHSA-F6WW-3GGP-FR8H...

XML Injection

Overview xmldom is an A pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. Affected versions of this package are vulnerable to XML Injection in the serialization of DocumentType nodes when attacker-controlled values are provided to the publicId, systemId, ...

xmldom has XML injection through unvalidated DocumentType serialization

Summary The package serializes DocumentType node fields internalSubset, publicId, systemId verbatim without any escaping or validation. When these fields are set programmatically to attacker-controlled strings, XMLSerializer.serializeToString can produce output where the DOCTYPE declaration is...

@headspinio/appium-roku-driver (>=2.6.1 <=2.7.0), @natlibfi/passport-melinda-aleph (=3.0.3-alpha.1) +2 more potentially affected by CVE-2026-41674 via @xmldom/xmldom (=0.9.0)

@xmldom/xmldom NPM version =0.9.0 is affected by a known vulnerability. The following packages have a transitive dependency on @xmldom/xmldom and may be impacted: - @headspinio/appium-roku-driver =2.6.1, =3.0.0, =1.7.9-beta.3, =1.8.0-beta.2 Source cves: CVE-2026-41674 Source advisory:...

08cms (=1.0.0), 0uth (>=1.0.5 <=1.2.1) +13068 more potentially affected by CVE-2026-41674 via xmldom (>=0.1.11 <=0.6.0)

xmldom NPM version =0.1.11, =1.0.5, =1.0.0, =1.0.0, =1.7.3, =0.1.0, =0.0.2, =0.0.1, =1.0.2, =1.0.3, =1.0.23, =1.0.1, =1.3.1 and more Source cves: CVE-2026-41674 Source advisory: SNYK:JS-XMLDOM-16134548...

XML Injection

Overview @xmldom/xmldom is a javascript ponyfill to provide the following APIs that are present in modern browsers to other runtimes. Since version 0.7.0 this package is published to npm as @xmldom/xmldom and no longer as xmldom Affected versions of this package are vulnerable to XML Injection in...

GHSA-F6WW-3GGP-FR8H xmldom has XML injection through unvalidated DocumentType serialization

Summary The package serializes DocumentType node fields internalSubset, publicId, systemId verbatim without any escaping or validation. When these fields are set programmatically to attacker-controlled strings, XMLSerializer.serializeToString can produce output where the DOCTYPE declaration is...