U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
  1. Vulnerabilities

CVE-2026-41673 Detail

Description

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, seven recursive traversals in lib/dom.js operate without a depth limit. A sufficiently deeply nested DOM tree causes a RangeError: Maximum call stack size exceeded, crashing the application. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.


Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.
CVSS 4.0 Severity and Vector Strings:

NIST CVSS score
NIST: NVD
N/A
NVD assessment not yet provided.

Nist CVSS score does not match with CNA score
CNA:  GitHub, Inc.
CVSS-B 8.7 HIGH
Vector:  CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

URL Source(s) Tag(s)
https://github.com/xmldom/xmldom/commit/17678a2a73ecbd1a2da90f3d47dc23da9cef81aa GitHub, Inc.
https://github.com/xmldom/xmldom/commit/291257493cb0eb6980eda83b162a9c4e6d7d2597 GitHub, Inc.
https://github.com/xmldom/xmldom/commit/2d6d6916ed8a4c223db1f6d7560ab4544c465b0f GitHub, Inc.
https://github.com/xmldom/xmldom/commit/430357c7b6333108856e917bf2367afe5ceb6f8a GitHub, Inc.
https://github.com/xmldom/xmldom/commit/4845ef109221df0890825de2822fbe77afba3afe GitHub, Inc.
https://github.com/xmldom/xmldom/commit/8834218c85ac2a4d757b9587c9028e67c2f7b6c3 GitHub, Inc.
https://github.com/xmldom/xmldom/commit/8b7cfd1491314abdc347261921d7334ff15f7112 GitHub, Inc.
https://github.com/xmldom/xmldom/commit/b0620383abc1df067f3ce1014c43ae1bc1161eeb GitHub, Inc.
https://github.com/xmldom/xmldom/commit/e6edcab6bef5bcdba0b220bb35442aa72f452b84 GitHub, Inc.
https://github.com/xmldom/xmldom/releases/tag/0.8.13 GitHub, Inc.
https://github.com/xmldom/xmldom/releases/tag/0.9.10 GitHub, Inc.
https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw CISA-ADP, GitHub, Inc.

Weakness Enumeration

CWE-ID CWE Name Source
CWE-674 Uncontrolled Recursion GitHub, Inc.  

Change History

2 change records found show changes

Quick Info

CVE Dictionary Entry:
CVE-2026-41673
NVD Published Date:
05/07/2026
NVD Last Modified:
05/07/2026
Source:
GitHub, Inc.