{
  "threat_severity" : "Important",
  "public_date" : "2026-05-07T03:36:16Z",
  "bugzilla" : {
    "description" : "xmldom: @xmldom/xmldom: xmldom: Arbitrary XML Node Injection",
    "id" : "2467631",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2467631"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-91",
  "details" : [ "xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled comment content to be serialized into XML without validating or neutralizing comment-breaking sequences. As a result, an attacker can terminate the comment early and inject arbitrary XML nodes into the serialized output. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.", "A flaw was found in xmldom and @xmldom/xmldom, a JavaScript module for parsing and serializing XML. This vulnerability allows an attacker to inject malicious content into XML comments. By doing so, the attacker can prematurely close a comment and insert unauthorized XML elements into the final output. This could lead to the manipulation of data within the XML document." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Developer Hub 1.9",
    "release_date" : "2026-06-16T00:00:00Z",
    "advisory" : "RHSA-2026:26234",
    "cpe" : "cpe:/a:redhat:rhdh:1.9::el9",
    "package" : "rhdh/rhdh-hub-rhel9:1781187342"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Build of Podman Desktop",
    "fix_state" : "Affected",
    "package_name" : "rh-podman-desktop.git",
    "cpe" : "cpe:/a:redhat:podman_desktop:1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "grafana",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Will not fix",
    "package_name" : "xmldom",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Not affected",
    "package_name" : "rhoai/odh-mlflow-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Affected",
    "package_name" : "openshift4/ose-agent-installer-ui-rhel9",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Affected",
    "package_name" : "openshift4/ose-console",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Self-service automation portal 2",
    "fix_state" : "Affected",
    "package_name" : "ansible-automation-platform/automation-portal",
    "cpe" : "cpe:/a:redhat:ansible_portal:2"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-41672\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-41672\nhttps://github.com/xmldom/xmldom/commit/b397540889086da868c30c366ad5c220d1a750c7\nhttps://github.com/xmldom/xmldom/commit/fda7cc313de30243fea35cada64e0bb12099c2a1\nhttps://github.com/xmldom/xmldom/pull/987\nhttps://github.com/xmldom/xmldom/releases/tag/0.8.13\nhttps://github.com/xmldom/xmldom/releases/tag/0.9.10\nhttps://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8" ],
  "name" : "CVE-2026-41672",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}