Xml-Injection

samlify's template substitution only escapes attribute contexts, leaving values inserted into element text (e.g., `<saml:AttributeValue>`) unescaped, allowing a normal user to inject XML markup into an attribute value and add new `<saml:Attribute>` elements inside the signed assertion, leading to privilege escalation when attributes are used for authorization (CVE-2026-46490).

CVE-2026-41675 is an XML node injection vulnerability in the xmldom library, potentially leading to code execution or information disclosure in applications that process XML data using the affected library.

The xmldom package is vulnerable to XML injection. The package serializes DocumentType node fields (internalSubset, publicId, systemId) verbatim without any escaping or validation. When these fields are set programmatically to attacker-controlled strings, XMLSerializer.serializeToString can produce output where the DOCTYPE declaration is terminated early and arbitrary markup appears outside it. To address this applications that pass untrusted data to createDocumentType() or write untrusted values directly to a DocumentType node's publicId, systemId, or internalSubset properties should audit all serializeToString() call sites and add the option.