Security Bulletin: IBM Maximo Scheduler Optimizer uses dompurify-3.2.4.tgz which is vulnerable to CVE-2025-15599, CVE-2026-0540

Summary IBM Maximo Scheduler Optimizer uses dompurify-3.2.4.tgz which is vulnerable to CVE-2025-15599, CVE-2026-0540. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2025-15599 DESCRIPTION: DOMPurify 3.1.3 through 3.2.6 and 2.5.3...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in dompurify-3.2.6.tgz

Summary IBM Watson Discovery Cartridge affected by vulnerability in dompurify-3.2.6.tgz Vulnerability Details CVEID:CVE-2025-15599 DESCRIPTION: DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization...

Security Bulletin: Cross-site scripting, authentication bypass by spoofing, and other vulnerabilities might affect IBM Storage Defender - Resiliency Service

Summary IBM Storage Defender - Resiliency Service is vulnerable to cross-site scripting, authentication bypass by spoofing, and others. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2025-15599 DESCRIPTION: DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a...

Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses dompurify-3.2.4.tgz, dompurify-3.2.6.tgz which is vulnerable to CVE-2025-15599, CVE-2026-0540

Summary IBM Maximo Application Suite - Visual Inspection component uses dompurify-3.2.4.tgz, dompurify-3.2.6.tgz which is vulnerable to CVE-2025-15599, CVE-2026-0540, This bulletin contains information regarding the vulnerability and its remediation. Vulnerability Details CVEID:CVE-2025-15599...

Security Bulletin: IBM Security SOAR is using a component with a known vulnerability (CVE-2025-15599)

Summary IBM Security SOAR uses an older version of the DOMPurify component that may be identified and exploited. Updates for supported versions have been released which address the issue. It is recommended to upgrade to version 51.0.9.2 Vulnerability Details CVEID:CVE-2025-15599 DESCRIPTION:...

Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring operands are vulnerable to cross-site-scripting (CVE-2025-15599, CVE-2026-0540) and loss of confidentiality (CVE-2025-68470, CVE-2026-22029)

Summary Node.js modules DomPurify and React Router are used by IBM App Connect Enterprise Certified Container. IBM App Connect Enterprise Certified Container DesignerAuthoring operands are vulnerable to cross-site-scripting CVE-2025-15599, CVE-2026-0540 and loss of confidentiality CVE-2025-68470,...

Security Bulletin: SPSS Collaboration and Deployment Services is affected by vulnerabilities in DOMPurify (CVE-2025-15599, CVE-2026-0540)

Summary SPSS Collaboration and Deployment Services is affected by vulnerabilities in DOMPurify CVE-2025-15599, CVE-2026-0540. This has been addressed in the remediation section. Vulnerability Details CVEID:CVE-2025-15599 DESCRIPTION: DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a...

Linux Distros Unpatched Vulnerability : CVE-2025-15599

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by...

CVE-2025-15599

A flaw was found in DOMPurify, a library designed to prevent web vulnerabilities. A remote attacker can exploit a cross-site scripting XSS vulnerability by bypassing the library's sanitization process. This bypass is possible due to improper validation of textarea rawtext elements, allowing...

@3t-transform/threeteeui (>=1.5.1 <=1.10.0), @8btc/excalidraw (>=0.18.0-beta.0 <=0.18.0-beta.4) +1244 more potentially affected by CVE-2025-15599 via dompurify (>=3.0.0 <=3.2.6)

dompurify NPM version =3.0.0, =1.5.1, =0.18.0-beta.0, =0.0.0-dev-20240828032938, =0.2.8-experimental.0, =1.2.0, =1.0.0, =4.4.0-rc1, =6.4.10, =5.1.1, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.2, =1.0.9 and more Source cves: CVE-2025-15599 Source advisory: SNYK:JS-DOMPURIFY-15371386...

CVE-2025-15599

creationtimestamp| type| source ---|---|--- 2026-03-03 20:28:33+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mg6ma2zwpa2n...

@atlassian/aui (>=9.3.22 <=10.0.0-M02), @charcoal-ui/icons (>=3.16.0 <=3.21.0) +115 more potentially affected by CVE-2025-15599 via dompurify (>=2.5.4 <=2.5.8)

dompurify NPM version =2.5.4, =9.3.22, =3.16.0, =3.0.0, =3.0.0, =0.0.0-canary-20240806060533, =0.0.0-canary-20240806060533, =0.0.0-canary-20240806060533, =0.0.0-canary-20240806060533, =0.0.0-canary-20240719153432, =0.0.0-fec-156-react19-20250116105607, =0.0.0-fec-156-react19-20250116105607,...

@8btc/excalidraw (>=0.18.0-beta.0 <=0.18.0-beta.4), @accelbyte/sdk-legal (>=0.0.0-dev-20241106153220 <=6.3.2) +1034 more potentially affected by CVE-2025-15599 via dompurify (>=3.1.3 <=3.2.6)

dompurify NPM version =3.1.3, =0.18.0-beta.0, =0.0.0-dev-20241106153220, =1.0.0, =4.4.0-rc1, =6.4.23, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.2, =1.0.0, =0.1.1, =0.1.5-alpha.2, =0.1.1, =0.1.6-alpha.5 and more Source cves: CVE-2025-15599 Source advisory: OSV:GHSA-V8JM-5VWX-CFXM...

CVE-2025-15599

DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFEFORXML regex. Attackers can include closing rawtext tags like in attribute...

CVE-2025-15599 DOMPurify XSS via Textarea Rawtext Bypass in SAFE_FOR_XML

DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFEFORXML regex. Attackers can include closing rawtext tags like in attribute...

CVE-2025-15599

DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFEFORXML regex. Attackers can include closing rawtext tags like in attribute...

CVE-2025-15599

CVE-2025-15599 affects DOMPurify before and after versions 2.x and 3.x due to a missing textarea rawtext validation in SAFE_FOR_XML that allows bypassing attribute sanitization and executing JavaScript when sanitized output is placed inside rawtext elements. Affected ranges: 3.1.3–3.2.6 and 2.5.3...