ROOT-APP-NPM-GHSA-H8R8-WCCR-V5F2 GHSA-h8r8-wccr-v5f2 in @rootio/dompurify - Patched by Root

Root has patched GHSA-h8r8-wccr-v5f2 in the @rootio/dompurify package for Root:npm. Multiple fixed versions available...

ROOT-APP-NPM-GHSA-CJ63-JHHR-WCXV GHSA-cj63-jhhr-wcxv in @rootio/dompurify - Patched by Root

Root has patched GHSA-cj63-jhhr-wcxv in the @rootio/dompurify package for Root:npm. Multiple fixed versions available...

ROOT-APP-NPM-CVE-2026-41239 CVE-2026-41239 in @rootio/dompurify - Patched by Root

Root has patched CVE-2026-41239 in the @rootio/dompurify package for Root:npm. Multiple fixed versions available...

ROOT-APP-NPM-GHSA-CJMM-F4JC-QW8R GHSA-cjmm-f4jc-qw8r in @rootio/dompurify - Patched by Root

Root has patched GHSA-cjmm-f4jc-qw8r in the @rootio/dompurify package for Root:npm. Multiple fixed versions available...

ROOT-APP-NPM-CVE-2025-26791 CVE-2025-26791 in @rootio/dompurify - Patched by Root

Root has patched CVE-2025-26791 in the @rootio/dompurify package for Root:npm. Multiple fixed versions available...

ROOT-APP-NPM-CVE-2025-15599 CVE-2025-15599 in @rootio/dompurify - Patched by Root

Root has patched CVE-2025-15599 in the @rootio/dompurify package for Root:npm. Multiple fixed versions available...

ROOT-APP-NPM-GHSA-39Q2-94RC-95CP GHSA-39q2-94rc-95cp in @rootio/dompurify - Patched by Root

Root has patched GHSA-39q2-94rc-95cp in the @rootio/dompurify package for Root:npm. Multiple fixed versions available...

ROOT-APP-NPM-CVE-2026-41240 CVE-2026-41240 in @rootio/dompurify - Patched by Root

Root has patched CVE-2026-41240 in the @rootio/dompurify package for Root:npm. Multiple fixed versions available...

ROOT-APP-NPM-CVE-2026-0540 CVE-2026-0540 in @rootio/dompurify - Patched by Root

Root has patched CVE-2026-0540 in the @rootio/dompurify package for Root:npm. Multiple fixed versions available...

CVE-2026-12048

Stored cross-site scripting in pgAdmin 4's error-rendering and plan-node-rendering paths. Text returned by a PostgreSQL server ErrorResponse messages, including object names quoted back inside relation-does-not-exist errors and inside EXPLAIN Recheck Cond / Exact Heap Blocks fields was passed...

CVE-2026-12048 pgAdmin 4: Stored XSS via untrusted error and plan-node text rendered through html-react-parser

Stored cross-site scripting in pgAdmin 4's error-rendering and plan-node-rendering paths. Text returned by a PostgreSQL server ErrorResponse messages, including object names quoted back inside relation-does-not-exist errors and inside EXPLAIN Recheck Cond / Exact Heap Blocks fields was passed...

CVE-2026-12048

CVE-2026-12048 affects pgAdmin 4 (versions 6.0 up to 9.16). Stored XSS occurs when untrusted server-returned text is passed through html-react-parser in multiple user-facing sinks (toasts, dialogs, explain visualiser, SQL editor prompts, etc.), allowing an attacker-controlled PostgreSQL server to...

GHSA-CMWH-PVXP-8882 DOMPurify: Permanent `ALLOWED_ATTR` pollution via `setConfig()` bypassing the hook clone-guard (incomplete fix of the 3.4.7 hook-pollution patch)

Summary DOMPurify 3.4.7 shipped a security fix "permanent hook pollution" that makes a registered uponSanitizeAttribute hook's mutation of data.allowedAttributes non-persistent — so allowing an attribute for one element does not leak into later sanitize calls. The fix clones ALLOWEDATTR inside...

PT-2026-50814

Name of the Vulnerable Software and Affected Versions pgAdmin 4 versions 6.0 through 9.15 Description Stored cross-site scripting exists in the error-rendering and plan-node-rendering paths. Text returned by a PostgreSQL server, such as ErrorResponse messages, object names in...

Open WebUI: Stored XSS in Mermaid Markdown Preview

Summary Open WebUI renders Mermaid blocks from Markdown files in the file preview panel and inserts the generated SVG into the DOM using innerHTML. Because Mermaid is configured with securityLevel: 'loose', attacker-controlled Mermaid content can be rendered unsafely in this flow. A working paylo...

PT-2026-50483

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.6 Description The application renders Mermaid blocks from Markdown files in the file preview panel and inserts the generated SVG into the DOM using innerHTML. Because Mermaid is configured with securityLevel:...

DOMPurify: Trusted Types policy survives `clearConfig()` and can poison later `RETURN_TRUSTED_TYPE` output

Impact A DOMPurify instance that is reused across trust boundaries can stay bound to a previously supplied TRUSTEDTYPESPOLICY even after clearConfig is called. A later caller that requests RETURNTRUSTEDTYPE receives a TrustedHTML object created by the old policy, not by a clean default...

GHSA-VXR8-FQ34-VVX9 DOMPurify: Trusted Types policy survives `clearConfig()` and can poison later `RETURN_TRUSTED_TYPE` output

Impact A DOMPurify instance that is reused across trust boundaries can stay bound to a previously supplied TRUSTEDTYPESPOLICY even after clearConfig is called. A later caller that requests RETURNTRUSTEDTYPE receives a TrustedHTML object created by the old policy, not by a clean default...

DOMPurify: SAFE_FOR_TEMPLATES bypass - template expressions survive sanitization inside <template> content when using DOM output modes

Summary When DOMPurify is configured with both SAFEFORTEMPLATES: true and RETURNDOM: true or INPLACE: true, an attacker can inject template expressions, such as $evil, evil, or , that survive the sanitization pass inside element content. This bypasses the explicit purpose of SAFEFORTEMPLATES, whi...

GHSA-RP9W-3FW7-7CWQ DOMPurify IN_PLACE Sanitization Bypass via Attached Shadow Root Inside <template>.content

If the HTML you give it contains a element, and inside that template there's an element with a shadow DOM attached to it, DOMPurify quietly skips over the shadow contents. Whatever the attacker put in there - an image with an onerror handler, a link with a javascript: URL, even a full script -...