34 matches found
SUSE CVE-2026-41675
xmldom is a pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled processing instruction data to be serialized into XML without...
CVE-2026-41675
xmldom is a pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled processing instruction data to be serialized into XML without...
CVE-2026-41675 xmldom: XML node injection through unvalidated processing instruction serialization
xmldom is a pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled processing instruction data to be serialized into XML without...
CVE-2026-41675
CVE-2026-41675 affects the xmldom/xmldom package. The vulnerability stems from attacker-controlled processing instruction data being serialized without validating or neutralizing the PI-closing sequence ?>, allowing injection of arbitrary XML nodes into the serialized output. Affected versions...
CVE-2026-41675 xmldom: XML node injection through unvalidated processing instruction serialization
xmldom is a pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled processing instruction data to be serialized into XML without...
EUVD-2026-28290
xmldom is a pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled processing instruction data to be serialized into XML without...
CVE-2026-41675
xmldom is a pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled processing instruction data to be serialized into XML without...
Linux Distros Unpatched Vulnerability : CVE-2026-41675
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - xmldom is a pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 an...
XML Injection
Overview @xmldom/xmldom is a javascript ponyfill to provide the following APIs that are present in modern browsers to other runtimes. Since version 0.7.0 this package is published to npm as @xmldom/xmldom and no longer as xmldom Affected versions of this package are vulnerable to XML Injection vi...
XML Injection
Overview org.webjars.npm:xmldom is an A pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. Affected versions of this package are vulnerable to XML Injection via the createProcessingInstruction function. An attacker can inject arbitrary XML nodes into the...
GHSA-X6WF-F3PX-WCQX xmldom has XML node injection through unvalidated processing instruction serialization
Summary The package allows attacker-controlled processing instruction data to be serialized into XML without validating or neutralizing the PI-closing sequence ?. As a result, an attacker can terminate the processing instruction early and inject arbitrary XML nodes into the serialized output. ---...
XML Injection
Overview xmldom is an A pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. Affected versions of this package are vulnerable to XML Injection via the createProcessingInstruction function. An attacker can inject arbitrary XML nodes into the serialized output...
xmldom has XML node injection through unvalidated processing instruction serialization
Summary The package allows attacker-controlled processing instruction data to be serialized into XML without validating or neutralizing the PI-closing sequence ?. As a result, an attacker can terminate the processing instruction early and inject arbitrary XML nodes into the serialized output. ---...
PT-2026-34618
Name of the Vulnerable Software and Affected Versions @xmldom/xmldom versions prior to 0.8.13 @xmldom/xmldom versions prior to 0.9.10 xmldom versions 0.6.0 and earlier Description The software allows attacker-controlled processing instruction PI data to be serialized into XML without validating o...
Atlassian Jira Service Management Data Center and Server 4.20.x < 4.20.28 / 5.4.x < 5.4.12 / 5.5.x < 5.11.3 / 5.12.0 (JSDSERVER-14873)
The version of Atlassian Jira Service Management Data Center and Server Jira Service Desk running on the remote host is affected by a vulnerability as referenced in the JSDSERVER-14873 advisory. - HtmlUnit NekoHtml Parser before 2.61.0 suffers from a denial of service vulnerability. Crafted input...
Atlassian Confluence 7.13.x / 8.1.x / 8.2.x / 8.3.x / 8.6.0 < 8.6.1 (CONFSERVER-93169)
The version of Atlassian Confluence Server running on the remote host is affected by a vulnerability as referenced in the CONFSERVER-93169 advisory. - Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction PI input that causes excessive heap memory...
Denial Of Service (DoS)
neko-htmlunit is vulnerable to denial of service. An attacker can crash the application through the out of memory exception in the scanPI function of HTMLScanner.java by providing a specifically crafted processing instruction...
CVE-2022-29546
HtmlUnit NekoHtml Parser before 2.61.0 suffers from a denial of service vulnerability. Crafted input associated with the parsing of Processing Instruction PI data leads to heap memory consumption. This is similar to CVE-2022-28366 but affects a much later version of the product...
CVE-2022-29546
HtmlUnit NekoHtml Parser before 2.61.0 suffers from a denial of service vulnerability. Crafted input associated with the parsing of Processing Instruction PI data leads to heap memory consumption. This is similar to CVE-2022-28366 but affects a much later version of the product...
CVE-2022-29546
HtmlUnit NekoHtml Parser before 2.61.0 suffers from a denial of service vulnerability. Crafted input associated with the parsing of Processing Instruction PI data leads to heap memory consumption. This is similar to CVE-2022-28366 but affects a much later version of the product...