Security Advisories (1)

CVE-2026-8177 (2026-05-10)

XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap memory when parsing XML node names containing truncated UTF-8 byte sequences. A node name ending in the middle of a multi byte UTF-8 sequence causes the parser to read past the end of the input string into adjacent heap memory. Any Perl process that passes attacker controlled strings to XML::LibXML's DOM node-name methods can reach this path on the default API. The likely consequence is a crash, causing denial of service.

NAME

XML::LibXML::Dtd - XML::LibXML DTD Handling

SYNOPSIS

use XML::LibXML;

$dtd = XML::LibXML::Dtd->new($public_id, $system_id);
$dtd = XML::LibXML::Dtd->parse_string($dtd_str);
$publicId = $dtd->getName();
$publicId = $dtd->publicId();
$systemId = $dtd->systemId();

DESCRIPTION

This class holds a DTD. You may parse a DTD from either a string, or from an external SYSTEM identifier.

No support is available as yet for parsing from a filehandle.

XML::LibXML::Dtd is a sub-class of XML::LibXML::Node, so all the methods available to nodes (particularly toString()) are available to Dtd objects.

METHODS

new

$dtd = XML::LibXML::Dtd->new($public_id, $system_id);

Parse a DTD from the system identifier, and return a DTD object that you can pass to $doc->is_valid() or $doc->validate().

my $dtd = XML::LibXML::Dtd->new(
                      "SOME // Public / ID / 1.0",
                      "test.dtd"
                                );
 my $doc = XML::LibXML->new->parse_file("test.xml");
 $doc->validate($dtd);

parse_string

$dtd = XML::LibXML::Dtd->parse_string($dtd_str);

The same as new() above, except you can parse a DTD from a string. Note that parsing from string may fail if the DTD contains external parametric-entity references with relative URLs.

getName

$publicId = $dtd->getName();

Returns the name of DTD; i.e., the name immediately following the DOCTYPE keyword.

publicId

$publicId = $dtd->publicId();

Returns the public identifier of the external subset.

systemId

$systemId = $dtd->systemId();

Returns the system identifier of the external subset.

AUTHORS

Matt Sergeant, Christian Glahn, Petr Pajas

VERSION

2.0210

COPYRIGHT

2001-2007, AxKit.com Ltd.

2002-2006, Christian Glahn.

2006-2009, Petr Pajas.

LICENSE

This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.

To install XML::LibXML, copy and paste the appropriate command in to your terminal.

cpanm

cpanm XML::LibXML

CPAN shell

perl -MCPAN -e shell
install XML::LibXML

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)