580 matches found
ROOT-APP-NPM-CVE-2026-49459 CVE-2026-49459 in @rootio/dompurify - Patched by Root
Root has patched CVE-2026-49459 in the @rootio/dompurify package for Root:npm. Multiple fixed versions available...
ROOT-APP-NPM-CVE-2026-49458 CVE-2026-49458 in @rootio/dompurify - Patched by Root
Root has patched CVE-2026-49458 in the @rootio/dompurify package for Root:npm. Multiple fixed versions available...
ROOT-APP-NPM-CVE-2026-0540 CVE-2026-0540 in @rootio/dompurify - Patched by Root
Root has patched CVE-2026-0540 in the @rootio/dompurify package for Root:npm. Multiple fixed versions available...
ROOT-APP-NPM-GHSA-H8R8-WCCR-V5F2 GHSA-h8r8-wccr-v5f2 in @rootio/dompurify - Patched by Root
Root has patched GHSA-h8r8-wccr-v5f2 in the @rootio/dompurify package for Root:npm. Multiple fixed versions available...
ROOT-APP-NPM-CVE-2026-41239 CVE-2026-41239 in @rootio/dompurify - Patched by Root
Root has patched CVE-2026-41239 in the @rootio/dompurify package for Root:npm. Multiple fixed versions available...
ROOT-APP-NPM-CVE-2026-41238 CVE-2026-41238 in @rootio/dompurify - Patched by Root
Root has patched CVE-2026-41238 in the @rootio/dompurify package for Root:npm. Multiple fixed versions available...
ROOT-APP-NPM-CVE-2025-26791 CVE-2025-26791 in @rootio/dompurify - Patched by Root
Root has patched CVE-2025-26791 in the @rootio/dompurify package for Root:npm. Multiple fixed versions available...
CVE-2026-49978
A flaw was found in DOMPurify, a tool designed to sanitize HTML, MathML, and SVG to prevent cross-site scripting XSS attacks. When performing in-place sanitization, DOMPurify could fail to properly process content within shadow DOM elements attached to a .content. This oversight allows an attacke...
CVE-2026-49459
A flaw was found in DOMPurify, a library designed to sanitize HTML, MathML, and SVG to prevent cross-site scripting XSS attacks. A remote attacker could exploit a vulnerability in the DOMPurify.sanitize function when used with the INPLACE: true option. This flaw allows an attacker to bypass the...
CVE-2026-49458
A flaw was found in DOMPurify, a tool designed to prevent cross-site scripting XSS attacks by sanitizing HTML, MathML, and SVG content. When processing certain types of web page elements, DOMPurify failed to properly identify and sanitize malicious code. This oversight could allow an attacker to...
CVE-2026-47423
A flaw was found in DOMPurify, a DOM-only cross-site scripting XSS sanitizer. Due to the default allowance of selectedcontent, a remote attacker could craft a malicious payload that, after initial sanitization, could be re-cloned by browsers, leading to the execution of unsanitized markup. This...
CVE-2026-49978
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Prior to 3.4.7, DOMPurify INPLACE sanitization could skip shadow contents attached to an element inside .content, allowing attacker-controlled markup such as event handlers, JavaScript URLs, or scripts to survive an...
CVE-2026-49459
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Prior to 3.4.6, DOMPurify.sanitizeroot, INPLACE: true could preserve event-handler attributes on an attacker-controlled root when a descendant name clobbered properties checked by isClobbered, because forceRemove...
CVE-2026-49458
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Prior to 3.4.6, DOMPurify.sanitizenode, INPLACE: true accepted same-origin foreign-realm DOM nodes while follow-on checks used parent-realm constructors, causing instanceof checks for forms, named node maps, documen...
CVE-2026-47423
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. In 3.4.4, DOMPurify allowed selectedcontent by default, allowing browsers to re-clone an XSS payload after sanitization so that unsanitized markup inside is returned. This issue is fixed in version 3.4.5...
CVE-2026-49978
CVE-2026-49978 affects DOMPurify, where IN_PLACE sanitization before version 3.4.7 could skip shadow contents inside a .content, allowing attacker-controlled markup (e.g., event handlers, JavaScript URLs, scripts) to survive during cloning and insertion of sanitized templates. The issue is fixed ...
CVE-2026-49978 DOMPurify IN_PLACE Sanitization Bypass via Attached Shadow Root Inside <template>.content
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Prior to 3.4.7, DOMPurify INPLACE sanitization could skip shadow contents attached to an element inside .content, allowing attacker-controlled markup such as event handlers, JavaScript URLs, or scripts to survive an...
CVE-2026-49459 DOMPurify: IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Prior to 3.4.6, DOMPurify.sanitizeroot, INPLACE: true could preserve event-handler attributes on an attacker-controlled root when a descendant name clobbered properties checked by isClobbered, because forceRemove...
CVE-2026-49459 DOMPurify: IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Prior to 3.4.6, DOMPurify.sanitizeroot, INPLACE: true could preserve event-handler attributes on an attacker-controlled root when a descendant name clobbered properties checked by isClobbered, because forceRemove...
CVE-2026-49459
CVE-2026-49459 affects DOMPurify prior to 3.4.6, where IN_PLACE mode could retain event-handler attributes on an attacker‑controlled root DOM due to _isClobbered logic and incomplete removal paths. Affected component: DOMPurify.sanitize(root, { IN_PLACE: true }) with a clobbered root form. Conseq...