Lucene search
K

21 matches found

RedhatCVE
RedhatCVE
added 5 hours ago4 views

CVE-2026-49978

A flaw was found in DOMPurify, a tool designed to sanitize HTML, MathML, and SVG to prevent cross-site scripting XSS attacks. When performing in-place sanitization, DOMPurify could fail to properly process content within shadow DOM elements attached to a .content. This oversight allows an attacke...

8.1CVSS6.1AI score0.00038EPSS
Exploits0References6
Veracode
Veracode
added 2026/06/27 5:53 a.m.7 views

Cross-Site Scripting (XSS)

DOMPurify is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to DOMPurify skipping the contents of shadow DOM elements inside HTML elements during sanitization, which allows an attacker to embed malicious payloads that execute when the template is cloned and inserted into the pag...

6.3CVSS6.1AI score0.00038EPSS
Exploits0References4Affected Software1
Veracode
Veracode
added 2026/06/23 9:47 a.m.9 views

Cross-site Scripting (XSS)

DOMPurify is vulnerable to cross-site scripting XSS. The vulnerability is due to the use of realm-specific instanceof checks when sanitizing DOM nodes from a different same-origin realm, which allows an attacker to bypass sanitization for form attributes, template content, and shadow DOM, leading...

6.1CVSS5.7AI score0.00055EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/06/15 8:1 p.m.12 views

GHSA-RP9W-3FW7-7CWQ DOMPurify IN_PLACE Sanitization Bypass via Attached Shadow Root Inside <template>.content

If the HTML you give it contains a element, and inside that template there's an element with a shadow DOM attached to it, DOMPurify quietly skips over the shadow contents. Whatever the attacker put in there - an image with an onerror handler, a link with a javascript: URL, even a full script -...

5.1CVSS5.2AI score0.00038EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/15 8:1 p.m.11 views

Cross-site Scripting (XSS)

Overview org.webjars.npm:dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the INPLACE function when handling a element containing an element with an attached shadow DOM. An attacker can execute arbitrar...

6.3CVSS5.3AI score0.00038EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/06/15 7:56 p.m.19 views

DOMPurify: Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound `instanceof` checks

Cross-realm INPLACE sanitization leaves executable markup intact via realm-bound instanceof checks CWE: CWE-79 XSS — Improper Neutralization of Input During Web Page Generation via CWE-693 Protection Mechanism Failure — realm-bound instanceof checks fail-open on foreign-realm DOM nodes and CWE-50...

6.1CVSS5.8AI score0.00055EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/15 12:0 a.m.18 views

PT-2026-49559

Name of the Vulnerable Software and Affected Versions DOMPurify affected versions not specified Description An issue exists where the sanitizer skips the contents of a shadow DOM attached to an element inside a element. This allows malicious payloads, such as images with onerror handlers, links...

6.3CVSS6.1AI score0.00038EPSS
Exploits0References7
SUSE CVE
SUSE CVE
added 2023/02/15 5:58 a.m.6 views

SUSE CVE-2010-2302

Use-after-free vulnerability in WebCore in WebKit in Google Chrome before 5.0.375.70 allows remote attackers to cause a denial of service memory corruption or possibly execute arbitrary code via vectors involving remote fonts in conjunction with shadow DOM trees, aka rdar problem 8007953. NOTE:...

10CVSS7.7AI score0.02981EPSS
Exploits0References4
OSSF Malicious Packages
OSSF Malicious Packages
added 2022/06/20 9:13 p.m.9 views

Malicious code in wm-jquery-shadow-dom (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 4cce2934c0da39a0931ddef4e3d88c8f5afb631e708767cf3b4e98ec4dff7464 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

6.9AI score
Exploits0References1
OSV
OSV
added 2022/06/20 9:13 p.m.7 views

MAL-2022-7196 Malicious code in wm-jquery-shadow-dom (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 4cce2934c0da39a0931ddef4e3d88c8f5afb631e708767cf3b4e98ec4dff7464 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

7AI score
Exploits0References1
OSV
OSV
added 2016/03/13 10:59 p.m.4 views

CVE-2016-1643

The ImageInputType::ensurePrimaryContent function in WebKit/Source/core/html/forms/ImageInputType.cpp in Blink, as used in Google Chrome before 49.0.2623.87, does not properly maintain the user agent shadow DOM, which allows remote attackers to cause a denial of service or possibly have unspecifi...

8.8CVSS7.4AI score0.02749EPSS
Exploits0References10
Prion
Prion
added 2016/03/13 10:59 p.m.25 views

Type confusion

The ImageInputType::ensurePrimaryContent function in WebKit/Source/core/html/forms/ImageInputType.cpp in Blink, as used in Google Chrome before 49.0.2623.87, does not properly maintain the user agent shadow DOM, which allows remote attackers to cause a denial of service or possibly have unspecifi...

9.3CVSS7.6AI score0.02749EPSS
Exploits0References10Affected Software1
Cvelist
Cvelist
added 2016/03/13 10:0 p.m.25 views

CVE-2016-1643

The ImageInputType::ensurePrimaryContent function in WebKit/Source/core/html/forms/ImageInputType.cpp in Blink, as used in Google Chrome before 49.0.2623.87, does not properly maintain the user agent shadow DOM, which allows remote attackers to cause a denial of service or possibly have unspecifi...

8.8AI score0.02749EPSS
Exploits0References10
RedHat Linux
RedHat Linux
added 2016/03/10 7:6 a.m.6 views

chromium-browser: type confusion in Blink

The ImageInputType::ensurePrimaryContent function in WebKit/Source/core/html/forms/ImageInputType.cpp in Blink, as used in Google Chrome before 49.0.2623.87, does not properly maintain the user agent shadow DOM, which allows remote attackers to cause a denial of service or possibly have unspecifi...

9.3CVSS7.5AI score0.02749EPSS
Exploits0References5
OSV
OSV
added 2016/03/10 12:0 a.m.3 views

UBUNTU-CVE-2016-1643

The ImageInputType::ensurePrimaryContent function in WebKit/Source/core/html/forms/ImageInputType.cpp in Blink, as used in Google Chrome before 49.0.2623.87, does not properly maintain the user agent shadow DOM, which allows remote attackers to cause a denial of service or possibly have unspecifi...

8.8CVSS7.3AI score0.02749EPSS
Exploits0References3
Google Chrome Security Advisories
Google Chrome Security Advisories
added 2014/05/20 12:0 a.m.41 views

Stable Channel Update

The Chrome Team is excited to announce the promotion of Chrome 35 to the Stable channel for Windows, Mac, and Linux. Chrome 35.0.1916.114 contains a number of fixes and improvements, including: More developer control over touch input New JavaScript features Unprefixed Shadow DOM A number of new...

7.5CVSS9AI score0.01954EPSS
Exploits0Affected Software1
NVD
NVD
added 2010/06/15 6:0 p.m.32 views

CVE-2010-2302

Use-after-free vulnerability in WebCore in WebKit in Google Chrome before 5.0.375.70 allows remote attackers to cause a denial of service memory corruption or possibly execute arbitrary code via vectors involving remote fonts in conjunction with shadow DOM trees, aka rdar problem 8007953. NOTE:...

10CVSS8.8AI score0.02981EPSS
Exploits0References7
UbuntuCve
UbuntuCve
added 2010/06/15 6:0 p.m.27 views

CVE-2010-2302

Use-after-free vulnerability in WebCore in WebKit in Google Chrome before 5.0.375.70 allows remote attackers to cause a denial of service memory corruption or possibly execute arbitrary code via vectors involving remote fonts in conjunction with shadow DOM trees, aka rdar problem 8007953. NOTE:...

10CVSS5.9AI score0.02981EPSS
Exploits0References1
Prion
Prion
added 2010/06/15 6:0 p.m.26 views

Design/Logic Flaw

Use-after-free vulnerability in WebCore in WebKit in Google Chrome before 5.0.375.70 allows remote attackers to cause a denial of service memory corruption or possibly execute arbitrary code via vectors involving remote fonts in conjunction with shadow DOM trees, aka rdar problem 8007953. NOTE:...

10CVSS8AI score0.06346EPSS
Exploits0References7Affected Software4
CVE
CVE
added 2010/06/15 5:48 p.m.85 views

CVE-2010-2302

CVE-2010-2302 is a use-after-free in WebKit’s WebCore affecting Google Chrome prior to 5.0.375.70. The flaw involves remote fonts used with shadow DOM trees and can cause memory corruption, leading to a denial of service or potential arbitrary code execution. Affected component: WebKit/WebCore in...

10CVSS8.7AI score0.02981EPSS
Exploits0References7Affected Software1
Rows per page
Query Builder