CVE-2026-41673
xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to ver
CVSS
7.5
Alto
EPSS
0.6%
p47
KEV
—
Exploit Today
14
0-100
Publicado: 7 may 2026 · Última mod.: 15 jul 2026 · CWE-674 · CWE-776
0.6%EPSS · 30 días0.6%
2026-06-302026-07-16
xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, seven recursive traversals in lib/dom.js operate without a depth limit. A sufficiently deeply nested DOM tree causes a RangeError: Maximum call stack size exceeded, crashing the application. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.
- github.comhttps://github.com/xmldom/xmldom/commit/17678a2a73ecbd1a2da90f3d47dc23da9cef81aa
- github.comhttps://github.com/xmldom/xmldom/commit/291257493cb0eb6980eda83b162a9c4e6d7d2597
- github.comhttps://github.com/xmldom/xmldom/commit/2d6d6916ed8a4c223db1f6d7560ab4544c465b0f
- github.comhttps://github.com/xmldom/xmldom/commit/430357c7b6333108856e917bf2367afe5ceb6f8a
- github.comhttps://github.com/xmldom/xmldom/commit/4845ef109221df0890825de2822fbe77afba3afe
- github.comhttps://github.com/xmldom/xmldom/commit/8834218c85ac2a4d757b9587c9028e67c2f7b6c3
- github.comhttps://github.com/xmldom/xmldom/commit/8b7cfd1491314abdc347261921d7334ff15f7112
- github.comhttps://github.com/xmldom/xmldom/commit/b0620383abc1df067f3ce1014c43ae1bc1161eeb
- github.comhttps://github.com/xmldom/xmldom/commit/e6edcab6bef5bcdba0b220bb35442aa72f452b84
- github.comhttps://github.com/xmldom/xmldom/releases/tag/0.8.13
- github.comhttps://github.com/xmldom/xmldom/releases/tag/0.9.10
- github.comhttps://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:26234
- access.redhat.comhttps://access.redhat.com/security/cve/CVE-2026-41673
- bugzilla.redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2467630
- github.comhttps://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw
- security.access.redhat.comhttps://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-41673.json
CVECVSSEPSSKEVRExplotTítuloVis.
CVE-2026-331167.5 ALT80.0%
——24Loop with unreachable exit condition ('infinite loop') in .NET, .NET Framework, Visual Studio allows an unauthorized attacker to deny service over a network.2dCVE-2026-261717.5 ALT75.4%
——23Uncontrolled resource consumption in .NET allows an unauthorized attacker to deny service over a network.2dCVE-2026-416065.3 MED63.1%
——19Uncontrolled Recursion vulnerability in Apache Thrift.
This issue affects Apache Thrift: before 0.23.0.
Users are recommended to upgrade to version 0.23.0, which fixes the issue.2dCVE-2026-262787.5 ALT52.8%
——16fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it’s possible to make the parser spend seconds or even minutes processing a single request, effectively freezing the application. Version 5.3.6 fixes the issue. As a workaround, avoid using DOCTYPE parsing by `processEntities: false` option.16hCVE-2026-453047.5 ALT52.6%
——16Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12, Symfony\Component\Yaml\Parser resolved YAML collection aliases recursively, allowing a small untrusted YAML input to expand into a multi-gigabyte structure and exhaust memory. This issue is fixed in versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12.2dCVE-2026-309227.5 ALT52.5%
——16pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.3, the `pyasn1` library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing thousands of nested `SEQUENCE` (`0x30`) or `SET` (`0x31`) tags with "Indefinite Length" (`0x80`) markers. This forces the decoder to recursively call itself until the Python interpreter crashes with a `RecursionError` or consumes all available memory (OOM), crashing the host application. This is a distinct vulnerability from CVE-2026-23490 (which addressed integer overflows in OID decoding). The fix for CVE-2026-23490 (`MAX_OID_ARC_CONTINUATION_OCTETS`) does not mitigate this recursion issue. Version 0.6.3 fixes this specific issue.2d