What is CVE-2026-34601?

CVE-2026-34601 is a high-severity vulnerability in Xmldom, classified under XML Injection (Blind XPath Injection). CVSS score: 7.5/10. Published 2026-04-02.

How severe is CVE-2026-34601?

High severity. CVSS v3 base score is 7.5 out of 10.

XPath Injection in Xmldom

CVE-2026-34601

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In xmldom versions 0.6.0 and prior and @xmldom/xmldom prior to versions 0.8.12 and 0.9.9, xmldom/xmldom allows attacker-controlle…

EPSS: 0.000 (5.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N.

Affected products

Xmldom — versions xmldom <= 0.6.0, @xmldom/xmldom < 0.8.12, @xmldom/xmldom >= 0.9.0, < 0.9.9

Weakness classification (CWE)

CWE-91 — XML Injection (Blind XPath Injection)

References

https://github.com/xmldom/xmldom/security/advisories/GHSA-wh4c-j3r5-mjhp (x_refsource_CONFIRM)
https://github.com/xmldom/xmldom/commit/2b852e836ab86dbbd6cbaf0537f584dd0b5ac184 (x_refsource_MISC)
https://github.com/xmldom/xmldom/releases/tag/0.8.12 (x_refsource_MISC)
https://github.com/xmldom/xmldom/releases/tag/0.9.9 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-34601?: CVE-2026-34601 is a high-severity vulnerability in Xmldom, classified under XML Injection (Blind XPath Injection). CVSS score: 7.5/10. Published 2026-04-02.
How severe is CVE-2026-34601?: High severity. CVSS v3 base score is 7.5 out of 10.