Lucene search
+L

4 matches found

NVD
NVD
added 5 days ago3 views

CVE-2026-47423

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. In 3.4.4, DOMPurify allowed selectedcontent by default, allowing browsers to re-clone an XSS payload after sanitization so that unsanitized markup inside is returned. This issue is fixed in version 3.4.5...

8.2CVSS0.00278EPSS
Exploits0References3
Snyk
Snyk
added 2026/06/01 2:7 p.m.9 views

Cross-site Scripting (XSS)

Overview org.webjars.npm:dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG. Affected versions of this package are vulnerable to Cross-site Scripting XSS through the HTML allowlist in dist/purify.cjs.js and related build artifacts. An attacker can inject a selectedcontent element into...

8.2CVSS5.3AI score0.00278EPSS
Exploits0References2
RedHat Linux
RedHat Linux
added 2026/04/27 6:6 p.m.4 views

dompurify: DOMPurify: Cross-site scripting vulnerability allows information disclosure

A flaw was found in DOMPurify, a DOM-only cross-site scripting XSS sanitizer. Due to the default allowance of selectedcontent, a remote attacker could craft a malicious payload that, after initial sanitization, could be re-cloned by browsers, leading to the execution of unsanitized markup. This...

8.2CVSS6.1AI score0.00278EPSS
Exploits0References7
Github Security Blog
Github Security Blog
added 2026/03/17 2:7 p.m.12 views

Uncontrolled recursion DoS in JustHTML() via deeply nested HTML

Summary justhtml through 1.9.1 allows denial of service via deeply nested HTML. During parsing, JustHTML.init always reaches TreeBuilder.finish, which unconditionally calls populateselectedcontent. That function recursively traverses the DOM via findelements / findelement without a depth bound,...

5.8AI score
Exploits0References3Affected Software1
Rows per page
Query Builder