Skip to content

fix: upgrade @xmldom/xmldom to 0.8.13, 0.9.10 (CVE-2026-41672)#9207

Open
orbisai0security wants to merge 1 commit into
videojs:mainfrom
orbisai0security:fix-cve-2026-41672-xmldom-xmldom
Open

fix: upgrade @xmldom/xmldom to 0.8.13, 0.9.10 (CVE-2026-41672)#9207
orbisai0security wants to merge 1 commit into
videojs:mainfrom
orbisai0security:fix-cve-2026-41672-xmldom-xmldom

Conversation

@orbisai0security

Copy link
Copy Markdown

Summary

Upgrade @xmldom/xmldom from 0.8.10 to 0.8.13, 0.9.10 to fix CVE-2026-41672.

Vulnerability

Field Value
ID CVE-2026-41672
Severity HIGH
Scanner trivy
Rule CVE-2026-41672
File package-lock.json
Assessment Likely exploitable

Description: xmldom: @xmldom/xmldom: xmldom: Arbitrary XML Node Injection

Evidence

Scanner confirmation: trivy rule CVE-2026-41672 flagged this pattern.

Production code: This file is in the production codebase, not test-only code.

Threat Model Context

This is a Node.js library - vulnerabilities affect downstream consumers who use this package.

Changes

  • package.json
  • package-lock.json

Verification

  • Build passes
  • Scanner re-scan confirms fix
  • LLM code review passed

This change addresses a pattern flagged by static analysis. The code path handles user-influenced input and the fix reduces the attack surface against both manual and automated exploitation.


Automated security fix by OrbisAI Security

Automated dependency upgrade by OrbisAI Security
@welcome

welcome Bot commented Jun 18, 2026

Copy link
Copy Markdown

💖 Thanks for opening this pull request! 💖

Things that will help get your PR across the finish line:

  • Run npm run lint -- --errors locally to catch formatting errors earlier.
  • Include tests when adding/changing behavior.
  • Include screenshots and animated GIFs whenever possible.

We get a lot of pull requests on this repo, so please be patient and we will get back to you as soon as we can.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant