{
  "threat_severity" : "Important",
  "public_date" : "2026-05-07T03:40:28Z",
  "bugzilla" : {
    "description" : "@xmldom/xmldom: xmldom: xmldom: Denial of Service via deeply nested XML documents",
    "id" : "2467630",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2467630"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-776",
  "details" : [ "xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, seven recursive traversals in lib/dom.js operate without a depth limit. A sufficiently deeply nested DOM tree causes a RangeError: Maximum call stack size exceeded, crashing the application. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.", "A flaw was found in the `xmldom` library, a JavaScript module for parsing XML documents. An attacker could exploit this vulnerability by providing a specially crafted, deeply nested XML document. This could lead to a Denial of Service (DoS) by causing the application to crash due to excessive recursion." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Developer Hub 1.9",
    "release_date" : "2026-06-16T00:00:00Z",
    "advisory" : "RHSA-2026:26234",
    "cpe" : "cpe:/a:redhat:rhdh:1.9::el9",
    "package" : "rhdh/rhdh-hub-rhel9:1781187342"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Build of Podman Desktop",
    "fix_state" : "Affected",
    "package_name" : "rh-podman-desktop.git",
    "cpe" : "cpe:/a:redhat:podman_desktop:1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "grafana",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Will not fix",
    "package_name" : "xmldom",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Not affected",
    "package_name" : "rhoai/odh-mlflow-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Affected",
    "package_name" : "openshift4/ose-agent-installer-ui-rhel9",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Affected",
    "package_name" : "openshift4/ose-console",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Self-service automation portal 2",
    "fix_state" : "Affected",
    "package_name" : "ansible-automation-platform/automation-portal",
    "cpe" : "cpe:/a:redhat:ansible_portal:2"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-41673\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-41673\nhttps://github.com/xmldom/xmldom/commit/17678a2a73ecbd1a2da90f3d47dc23da9cef81aa\nhttps://github.com/xmldom/xmldom/commit/291257493cb0eb6980eda83b162a9c4e6d7d2597\nhttps://github.com/xmldom/xmldom/commit/2d6d6916ed8a4c223db1f6d7560ab4544c465b0f\nhttps://github.com/xmldom/xmldom/commit/430357c7b6333108856e917bf2367afe5ceb6f8a\nhttps://github.com/xmldom/xmldom/commit/4845ef109221df0890825de2822fbe77afba3afe\nhttps://github.com/xmldom/xmldom/commit/8834218c85ac2a4d757b9587c9028e67c2f7b6c3\nhttps://github.com/xmldom/xmldom/commit/8b7cfd1491314abdc347261921d7334ff15f7112\nhttps://github.com/xmldom/xmldom/commit/b0620383abc1df067f3ce1014c43ae1bc1161eeb\nhttps://github.com/xmldom/xmldom/commit/e6edcab6bef5bcdba0b220bb35442aa72f452b84\nhttps://github.com/xmldom/xmldom/releases/tag/0.8.13\nhttps://github.com/xmldom/xmldom/releases/tag/0.9.10\nhttps://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw" ],
  "name" : "CVE-2026-41673",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}