CVE-2026-41238

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions 3.0.1 through 3.3.3 are vulnerable to a prototype pollution-based XSS bypass. When an application uses DOMPurify.sanitize with the default configuration no CUSTOMELEMENTHANDLING option, a prior prototype...

CVE-2026-41238

DOMPurify is vulnerable to a prototype-pollution-based XSS bypass in versions 3.0.1–3.3.3 when using the default sanitize() config (no CUSTOM_ELEMENT_HANDLING). A polluted Object.prototype can inject permissive tagNameCheck and attributeNameCheck values, allowing arbitrary custom elements with ev...

GHSA-V9JR-RG53-9PGP DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback

Summary DOMPurify versions 3.0.1 through 3.3.3 latest are vulnerable to a prototype pollution-based XSS bypass. When an application uses DOMPurify.sanitize with the default configuration no CUSTOMELEMENTHANDLING option, a prior prototype pollution gadget can inject permissive tagNameCheck and...

DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback

Summary DOMPurify versions 3.0.1 through 3.3.3 latest are vulnerable to a prototype pollution-based XSS bypass. When an application uses DOMPurify.sanitize with the default configuration no CUSTOMELEMENTHANDLING option, a prior prototype pollution gadget can inject permissive tagNameCheck and...

PT-2026-34602

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions 3.0.1 through 3.3.3 are vulnerable to a prototype pollution-based XSS bypass. When an application uses DOMPurify.sanitize with the default configuration no CUSTOM ELEMENT HANDLING option, a prior prototype...

Cross-site Scripting (XSS)

Overview dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG. Affected versions of this package are vulnerable to Cross-site Scripting XSS leading to cross-site scripting, via custom elements. When CUSTOMELEMENTHANDLING is not enabled, and an attacker has already polluted the prototype...

Firefox + custom elements + iframes bug

Over at Shopify we've been building a bunch of web components to use internally and in third party contexts. All of a sudden, we found some strange errors in our logs, all from Firefox. This is the post I wish existed when we discovered it. Update: This is now fixed, and should land in Firefox 15...

Microsoft Edge Denial of Service Vulnerability

Microsoft Edge, a web browser developed by Microsoft based on the Chromium open source project and other open source software, has a denial-of-service vulnerability in versions prior to Microsoft Edge 106.0.1370.34 based on versions prior to Google Chrome 106.0.5249.91, which originates from a...

Google Chrome 资源管理错误漏洞

Microsoft Edge, a web browser developed by Microsoft based on the Chromium open source project and other open source software, has a denial-of-service vulnerability in versions prior to Microsoft Edge 106.0.1370.34 based on versions prior to Google Chrome 106.0.5249.91, which originates from a...