Security Bulletin: SPSS Collaboration and Deployment Services is affected by vulnerabilities in DOMPurify (CVE-2025-15599, CVE-2026-0540)

Summary SPSS Collaboration and Deployment Services is affected by vulnerabilities in DOMPurify CVE-2025-15599, CVE-2026-0540. This has been addressed in the remediation section. Vulnerability Details CVEID:CVE-2025-15599 DESCRIPTION: DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a...

net.enilink.platform:net.enilink.platform.web (=1.6.0), org.webjars.npm:formio__core (=2.6.0) +1 more potentially affected by unknown CVE via org.webjars.npm:dompurify (>=3.1.7 <=3.3.0)

org.webjars.npm:dompurify MAVEN version =3.1.7, =0.54.0, =0.55.1 Source cves: unknown CVE Source advisory: SNYK:JAVA-ORGWEBJARSNPM-15874906...

GHSA-CJMM-F4JC-QW8R DOMPurify ADD_ATTR predicate skips URI validation

Summary DOMPurify allows ADDATTR to be provided as a predicate function via EXTRAELEMENTHANDLING.attributeCheck. When the predicate returns true, isValidAttribute short-circuits the attribute check before URI-safe validation runs. An attacker who supplies a predicate that accepts specific...

Permissive List of Allowed Inputs

Overview dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG. Affected versions of this package are vulnerable to Permissive List of Allowed Inputs in the ADDATTR predicate function via EXTRAELEMENTHANDLING.attributeCheck. An attacker can inject and execute malicious scripts in the DOM...

Permissive List of Allowed Inputs

Overview org.webjars.npm:dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG. Affected versions of this package are vulnerable to Permissive List of Allowed Inputs in the ADDATTR predicate function via EXTRAELEMENTHANDLING.attributeCheck. An attacker can inject and execute malicious...

DOMPurify ADD_ATTR predicate skips URI validation

Summary DOMPurify allows ADDATTR to be provided as a predicate function via EXTRAELEMENTHANDLING.attributeCheck. When the predicate returns true, isValidAttribute short-circuits the attribute check before URI-safe validation runs. An attacker who supplies a predicate that accepts specific...

1router (>=0.3.96 <=1.0.2), 9router-custom (=0.3.55) +2079 more potentially affected by unknown CVE via dompurify (>=3.0.0 <=3.3.1)

dompurify NPM version =3.0.0, =0.3.96, =0.3.33, =0.5.0, =1.0.0, =1.5.1, =0.18.0-beta.0, =0.0.1, =0.1.0-alpha.1, =0.1.0, =0.1.0, =0.0.0-dev-20240828032938, =0.2.8-experimental.0, =1.2.0, =1.0.0, =1.0.35 and more Source cves: unknown CVE Source advisory: SNYK:JS-DOMPURIFY-15874905...

Prototype Pollution

Overview org.webjars.npm:dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG. Affected versions of this package are vulnerable to Prototype Pollution in the USEPROFILES function. An attacker can execute arbitrary JavaScript code in the context of the user’s browser by polluting...

DOMPurify USE_PROFILES prototype pollution allows event handlers

Summary When USEPROFILES is enabled, DOMPurify rebuilds ALLOWEDATTR as a plain array before populating it with the requested allowlists. Because the sanitizer still looks up attributes via ALLOWEDATTRlcName, any Array.prototype property that is polluted also counts as an allowlisted attribute. An...

1router (>=0.3.96 <=1.0.2), 9router-custom (=0.3.55) +2079 more potentially affected by unknown CVE via dompurify (>=3.0.0 <=3.3.1)

dompurify NPM version =3.0.0, =0.3.96, =0.3.33, =0.5.0, =1.0.0, =1.5.1, =0.18.0-beta.0, =0.0.1, =0.1.0-alpha.1, =0.1.0, =0.1.0, =0.0.0-dev-20240828032938, =0.2.8-experimental.0, =1.2.0, =1.0.0, =1.0.35 and more Source cves: unknown CVE Source advisory: SNYK:JS-DOMPURIFY-15874903...

GHSA-CJ63-JHHR-WCXV DOMPurify USE_PROFILES prototype pollution allows event handlers

Summary When USEPROFILES is enabled, DOMPurify rebuilds ALLOWEDATTR as a plain array before populating it with the requested allowlists. Because the sanitizer still looks up attributes via ALLOWEDATTRlcName, any Array.prototype property that is polluted also counts as an allowlisted attribute. An...

net.enilink.platform:net.enilink.platform.web (=1.6.0), org.webjars.npm:formio__core (=2.6.0) +1 more potentially affected by unknown CVE via org.webjars.npm:dompurify (>=3.1.7 <=3.3.0)

org.webjars.npm:dompurify MAVEN version =3.1.7, =0.54.0, =0.55.1 Source cves: unknown CVE Source advisory: SNYK:JAVA-ORGWEBJARSNPM-15874904...

Cross-site Scripting (XSS)

Overview dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG. Affected versions of this package are vulnerable to Cross-site Scripting XSS when sanitized HTML is reinserted into a new parsing context using innerHTML and special wrappers such as script, xmp, iframe, noembed, noframes, o...

net.enilink.platform:net.enilink.platform.web (=1.6.0), org.webjars.npm:formio__core (=2.6.0) +1 more potentially affected by unknown CVE via org.webjars.npm:dompurify (>=3.1.7 <=3.3.0)

org.webjars.npm:dompurify MAVEN version =3.1.7, =0.54.0, =0.55.1 Source cves: unknown CVE Source advisory: SNYK:JAVA-ORGWEBJARSNPM-15810939...

1router (>=0.3.96 <=1.0.2), 9router-custom (=0.3.55) +2079 more potentially affected by unknown CVE via dompurify (>=3.0.0 <=3.3.1)

dompurify NPM version =3.0.0, =0.3.96, =0.3.33, =0.5.0, =1.0.0, =1.5.1, =0.18.0-beta.0, =0.0.1, =0.1.0-alpha.1, =0.1.0, =0.1.0, =0.0.0-dev-20240828032938, =0.2.8-experimental.0, =1.2.0, =1.0.0, =1.0.35 and more Source cves: unknown CVE Source advisory: SNYK:JS-DOMPURIFY-15810938...

011xwztpjn (=1.0.0), 02y9dg4qm3 (=1.0.0) +11456 more potentially affected by unknown CVE via dompurify (>=0.6.6 <=3.3.1)

dompurify NPM version =0.6.6, =3.3.1 is affected by a known vulnerability. The following packages have a transitive dependency on dompurify and may be impacted: - 011xwztpjn =1.0.0 - 02y9dg4qm3 =1.0.0 - 04tw75kmd9 =1.0.0 - 0650teqqly =1.0.0 - 097oi25ils =1.0.0 - 0a0fpniotn =1.0.0 - 0c7j76u46q...

GHSA-H8R8-WCCR-V5F2 DOMPurify is vulnerable to mutation-XSS via Re-Contextualization

Description A mutation-XSS mXSS condition was confirmed when sanitized HTML is reinserted into a new parsing context using innerHTML and special wrappers. The vulnerable wrappers confirmed in browser behavior are script, xmp, iframe, noembed, noframes, and noscript. The payload remains seemingly...

Cross-site Scripting (XSS)

Overview org.webjars.npm:dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG. Affected versions of this package are vulnerable to Cross-site Scripting XSS when sanitized HTML is reinserted into a new parsing context using innerHTML and special wrappers such as script, xmp, iframe,...

CVE-2026-31833

Umbraco is an ASP.NET CMS. From 16.2.0 to before 16.5.1 and 17.2.2, An authenticated backoffice user with access to Settings can inject malicious HTML into property type descriptions. Due to an overly permissive attributeNameCheck configuration /.+/ in the UFM DOMPurify instance, event handler...

EUVD-2026-12105

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, AnythingLLM Desktop contains a Streaming Phase XSS vulnerability in the chat rendering pipeline that escalates to Remote Code Execution on the host OS...