Lucene search
K

1052 matches found

Snyk
Snyk
added 2026/04/22 8:17 p.m.8 views

XML Injection

Overview @xmldom/xmldom is a javascript ponyfill to provide the following APIs that are present in modern browsers to other runtimes. Since version 0.7.0 this package is published to npm as @xmldom/xmldom and no longer as xmldom Affected versions of this package are vulnerable to XML Injection vi...

8.7CVSS5.7AI score0.00408EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/04/22 8:4 p.m.36 views

fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters

fast-xml-parser XMLBuilder: Comment and CDATA Injection via Unescaped Delimiters Summary fast-xml-parser XMLBuilder does not escape the -- sequence in comment content or the sequence in CDATA sections when building XML from JavaScript objects. This allows XML injection when user-controlled data...

6.1CVSS5.9AI score0.00238EPSS
Exploits1References4Affected Software1
Snyk
Snyk
added 2026/04/17 9:0 p.m.16 views

XML Injection

Overview Affected versions of this package are vulnerable to XML Injection in fxb.js, which does not properly handle closing delimiters for comment and CDATA values. The -- sequence in comment content and the sequence in CDATA sections can be coopted to close their respective sections early and...

6.1CVSS5.8AI score0.00238EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/17 9:0 p.m.8 views

XML Injection

Overview @xmldom/xmldom is a javascript ponyfill to provide the following APIs that are present in modern browsers to other runtimes. Since version 0.7.0 this package is published to npm as @xmldom/xmldom and no longer as xmldom Affected versions of this package are vulnerable to XML Injection du...

8.7CVSS5.5AI score0.00365EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 9:0 p.m.17 views

XML Injection

Overview xmldom is an A pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. Affected versions of this package are vulnerable to XML Injection due to unvalidated comment serialization. When an application uses the package to create an XML comment from...

8.7CVSS5.4AI score0.00365EPSS
Exploits0References2
IBM Security Bulletins
IBM Security Bulletins
added 2026/04/17 1:36 p.m.8 views

Security Bulletin: DevOps Test Performance contains a vulnerability related to use of the xmldom JavaScript library

Summary Due to use of the xmldom JavaScript library, DevOps Test Performance and Rational Performance Tester contain a potential XML injection vulnerability. Vulnerability Details CVEID:CVE-2026-34601 DESCRIPTION: xmldom is a pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and...

7.5CVSS5.6AI score0.00472EPSS
Exploits0Affected Software1
Veracode
Veracode
added 2026/04/14 8:20 a.m.6 views

XML Injection

xmldom is vulnerable to an XML Injection. The vulnerability is due to improper handling of CDATA termination during serialization, which allows an attacker to inject malicious XML markup and manipulate the structure of the output...

7.5CVSS5.8AI score0.00472EPSS
Exploits0References9Affected Software2
RedhatCVE
RedhatCVE
added 2026/04/13 5:23 p.m.4 views

CVE-2026-40023

A flaw was found in Apache Log4cxx. An attacker who can influence logged data can exploit this by injecting characters forbidden by the XML 1.0 specification a standard for encoding documents into log messages, Network Device Configuration NDC, and Mapped Diagnostic Context MDC property keys and...

6.3CVSS5.7AI score0.00499EPSS
Exploits0References8
Tenable Nessus
Tenable Nessus
added 2026/04/10 12:0 a.m.5 views

Unity Linux 20.1070e Security Update: python-xmltodict (UTSA-2026-007093)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007093 advisory. XML Injection vulnerability in xmltodict allows Input Data Manipulation. This issue affects xmltodict: from 0.14.2 before 0.15.1. Tenable has extracted the preceding...

6.9CVSS5.9AI score0.00417EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/04/03 9:15 p.m.35 views

CVE-2026-34978 OpenPrinting CUPS: Path traversal in RSS notify-recipient-uri enables file write outside CacheDir/rss (and clobbering of job.cache)

OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, the RSS notifier allows .. path traversal in notify-recipient-uri e.g., rss:///../job.cache, letting a remote IPP client write RSS XML bytes outside CacheDir/rss...

6.5CVSS0.00406EPSS
Exploits1References1
OSV
OSV
added 2026/04/02 6:16 p.m.6 views

UBUNTU-CVE-2026-34601

xmldom is a pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. In xmldom versions 0.6.0 and prior and @xmldom/xmldom prior to versions 0.8.12 and 0.9.9, xmldom/xmldom allows attacker-controlled strings containing the CDATA terminator to be inserted into a...

7.5CVSS5.7AI score0.00472EPSS
Exploits0References2
OSV
OSV
added 2026/04/02 5:47 p.m.1 views

CVE-2026-34601 xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion

xmldom is a pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. In xmldom versions 0.6.0 and prior and @xmldom/xmldom prior to versions 0.8.12 and 0.9.9, xmldom/xmldom allows attacker-controlled strings containing the CDATA terminator to be inserted into a...

7.5CVSS5.9AI score0.00472EPSS
Exploits0References9
Snyk
Snyk
added 2026/04/01 12:19 a.m.3 views

XML Injection

Overview @xmldom/xmldom is a javascript ponyfill to provide the following APIs that are present in modern browsers to other runtimes. Since version 0.7.0 this package is published to npm as @xmldom/xmldom and no longer as xmldom Affected versions of this package are vulnerable to XML Injection vi...

8.6CVSS5.9AI score0.00472EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/01 12:19 a.m.6 views

XML Injection

Overview org.webjars.npm:xmldom is an A pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. Affected versions of this package are vulnerable to XML Injection via the XMLSerializer function. An attacker can manipulate the structure and integrity of generated...

8.6CVSS5.9AI score0.00472EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/04/01 12:19 a.m.10 views

xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion

Summary @xmldom/xmldom allows attacker-controlled strings containing the CDATA terminator to be inserted into a CDATASection node. During serialization, XMLSerializer emitted the CDATA content verbatim without rejecting or safely splitting the terminator. As a result, data intended to remain...

7.5CVSS5.4AI score0.00472EPSS
Exploits0References6Affected Software2
GithubExploit
GithubExploit
added 2026/03/28 8:4 a.m.204 views

Exploit for XML Injection (aka Blind XPath Injection) in Fonttools

CVE-2025-66034 — fontTools varLib Arbitrary File Write → RCE...

9.8CVSS7AI score0.00496EPSS
Exploits9
Cvelist
Cvelist
added 2026/03/20 3:42 p.m.25 views

CVE-2026-32986 Textpattern CMS 4.9.0: Second-Order XSS via Atom Feed Injection

Textpattern CMS version 4.9.0 contains a second-order cross-site scripting vulnerability that allows attackers to inject malicious scripts by exploiting improper sanitization of user-supplied input in Atom feed XML elements. Attackers can embed unescaped payloads in parameters such as category th...

6.1CVSS0.0016EPSS
Exploits1References2
CVE
CVE
added 2026/03/20 3:42 p.m.12 views

CVE-2026-32986

Textpattern CMS 4.9.0 is affected by a Second-Order XSS in Atom feed handling. User-controlled parameters (e.g., category) can be reflected into Atom fields like and without proper XML escaping, and the payload may execute when the feed is consumed by HTML-based readers or CMS aggregators that ...

6.1CVSS5.7AI score0.0016EPSS
Exploits1References2Affected Software1
GithubExploit
GithubExploit
added 2026/03/17 8:3 p.m.174 views

Exploit for XML Injection (aka Blind XPath Injection) in Fonttools

CVE-2025-66034-Poc-to-Get-RCE-for-HTB-VariaType Just run the...

9.8CVSS5.8AI score0.00496EPSS
Exploits9
IBM Security Bulletins
IBM Security Bulletins
added 2026/03/17 11:59 a.m.12 views

Security Bulletin: IBM Maximo Application Suite - Visual Inspection Component uses fontTools dependency which is vulnerable to CVE-2025-66034.

Summary IBM Maximo Application Suite - Visual Inspection Component uses fontTools dependency which is vulnerable to CVE-2025-66034. This bulletin contains information regarding the vulnerability and its remediation. Vulnerability Details CVEID:CVE-2025-66034 DESCRIPTION: fontTools is a library fo...

9.8CVSS6.4AI score0.00496EPSS
Exploits9Affected Software1
Rows per page
Query Builder