Lucene search
+L

580 matches found

OSV
OSV
added 5 hours ago3 views

ROOT-APP-NPM-CVE-2026-49459 CVE-2026-49459 in @rootio/dompurify - Patched by Root

Root has patched CVE-2026-49459 in the @rootio/dompurify package for Root:npm. Multiple fixed versions available...

6.1CVSS6.1AI score0.00254EPSS
Exploits0
OSV
OSV
added 5 hours ago7 views

ROOT-APP-NPM-CVE-2026-49458 CVE-2026-49458 in @rootio/dompurify - Patched by Root

Root has patched CVE-2026-49458 in the @rootio/dompurify package for Root:npm. Multiple fixed versions available...

6.1CVSS6.1AI score0.00288EPSS
Exploits0
OSV
OSV
added 5 hours ago10 views

ROOT-APP-NPM-CVE-2026-0540 CVE-2026-0540 in @rootio/dompurify - Patched by Root

Root has patched CVE-2026-0540 in the @rootio/dompurify package for Root:npm. Multiple fixed versions available...

6.1CVSS7.2AI score0.0034EPSS
Exploits0
OSV
OSV
added 5 hours ago11 views

ROOT-APP-NPM-GHSA-H8R8-WCCR-V5F2 GHSA-h8r8-wccr-v5f2 in @rootio/dompurify - Patched by Root

Root has patched GHSA-h8r8-wccr-v5f2 in the @rootio/dompurify package for Root:npm. Multiple fixed versions available...

5.8AI score
Exploits0
OSV
OSV
added 5 hours ago10 views

ROOT-APP-NPM-CVE-2026-41239 CVE-2026-41239 in @rootio/dompurify - Patched by Root

Root has patched CVE-2026-41239 in the @rootio/dompurify package for Root:npm. Multiple fixed versions available...

6.8CVSS5.8AI score0.00248EPSS
Exploits0
OSV
OSV
added 5 hours ago5 views

ROOT-APP-NPM-CVE-2026-41238 CVE-2026-41238 in @rootio/dompurify - Patched by Root

Root has patched CVE-2026-41238 in the @rootio/dompurify package for Root:npm. Multiple fixed versions available...

6.9CVSS5.8AI score0.00225EPSS
Exploits0
OSV
OSV
added 5 hours ago12 views

ROOT-APP-NPM-CVE-2025-26791 CVE-2025-26791 in @rootio/dompurify - Patched by Root

Root has patched CVE-2025-26791 in the @rootio/dompurify package for Root:npm. Multiple fixed versions available...

6.1CVSS6.6AI score0.00583EPSS
Exploits1
RedhatCVE
RedhatCVE
added 2 days ago6 views

CVE-2026-49978

A flaw was found in DOMPurify, a tool designed to sanitize HTML, MathML, and SVG to prevent cross-site scripting XSS attacks. When performing in-place sanitization, DOMPurify could fail to properly process content within shadow DOM elements attached to a .content. This oversight allows an attacke...

8.1CVSS6.1AI score0.00388EPSS
Exploits0References6
RedhatCVE
RedhatCVE
added 2 days ago5 views

CVE-2026-49459

A flaw was found in DOMPurify, a library designed to sanitize HTML, MathML, and SVG to prevent cross-site scripting XSS attacks. A remote attacker could exploit a vulnerability in the DOMPurify.sanitize function when used with the INPLACE: true option. This flaw allows an attacker to bypass the...

6.1CVSS6.2AI score0.00254EPSS
Exploits0References6
RedhatCVE
RedhatCVE
added 2 days ago5 views

CVE-2026-49458

A flaw was found in DOMPurify, a tool designed to prevent cross-site scripting XSS attacks by sanitizing HTML, MathML, and SVG content. When processing certain types of web page elements, DOMPurify failed to properly identify and sanitize malicious code. This oversight could allow an attacker to...

6.1CVSS6.1AI score0.00288EPSS
Exploits0References6
RedhatCVE
RedhatCVE
added 2 days ago5 views

CVE-2026-47423

A flaw was found in DOMPurify, a DOM-only cross-site scripting XSS sanitizer. Due to the default allowance of selectedcontent, a remote attacker could craft a malicious payload that, after initial sanitization, could be re-cloned by browsers, leading to the execution of unsanitized markup. This...

8.2CVSS6.1AI score0.00278EPSS
Exploits0References6
NVD
NVD
added 3 days ago4 views

CVE-2026-49978

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Prior to 3.4.7, DOMPurify INPLACE sanitization could skip shadow contents attached to an element inside .content, allowing attacker-controlled markup such as event handlers, JavaScript URLs, or scripts to survive an...

6.3CVSS0.00388EPSS
Exploits0References3
NVD
NVD
added 3 days ago3 views

CVE-2026-49459

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Prior to 3.4.6, DOMPurify.sanitizeroot, INPLACE: true could preserve event-handler attributes on an attacker-controlled root when a descendant name clobbered properties checked by isClobbered, because forceRemove...

6.1CVSS0.00254EPSS
Exploits0References3
NVD
NVD
added 3 days ago3 views

CVE-2026-49458

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Prior to 3.4.6, DOMPurify.sanitizenode, INPLACE: true accepted same-origin foreign-realm DOM nodes while follow-on checks used parent-realm constructors, causing instanceof checks for forms, named node maps, documen...

6.1CVSS0.00288EPSS
Exploits0References3
NVD
NVD
added 3 days ago3 views

CVE-2026-47423

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. In 3.4.4, DOMPurify allowed selectedcontent by default, allowing browsers to re-clone an XSS payload after sanitization so that unsanitized markup inside is returned. This issue is fixed in version 3.4.5...

8.2CVSS0.00278EPSS
Exploits0References3
CVE
CVE
added 3 days ago36 views

CVE-2026-49978

CVE-2026-49978 affects DOMPurify, where IN_PLACE sanitization before version 3.4.7 could skip shadow contents inside a .content, allowing attacker-controlled markup (e.g., event handlers, JavaScript URLs, scripts) to survive during cloning and insertion of sanitized templates. The issue is fixed ...

6.3CVSS6.1AI score0.00388EPSS
Exploits0References3
OSV
OSV
added 3 days ago5 views

CVE-2026-49978 DOMPurify IN_PLACE Sanitization Bypass via Attached Shadow Root Inside <template>.content

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Prior to 3.4.7, DOMPurify INPLACE sanitization could skip shadow contents attached to an element inside .content, allowing attacker-controlled markup such as event handlers, JavaScript URLs, or scripts to survive an...

6.3CVSS6.1AI score0.00388EPSS
Exploits0References5
OSV
OSV
added 3 days ago4 views

CVE-2026-49459 DOMPurify: IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Prior to 3.4.6, DOMPurify.sanitizeroot, INPLACE: true could preserve event-handler attributes on an attacker-controlled root when a descendant name clobbered properties checked by isClobbered, because forceRemove...

6.1CVSS6.1AI score0.00254EPSS
Exploits0References5
Cvelist
Cvelist
added 3 days ago34 views

CVE-2026-49459 DOMPurify: IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Prior to 3.4.6, DOMPurify.sanitizeroot, INPLACE: true could preserve event-handler attributes on an attacker-controlled root when a descendant name clobbered properties checked by isClobbered, because forceRemove...

6.1CVSS0.00254EPSS
Exploits0References3
CVE
CVE
added 3 days ago57 views

CVE-2026-49459

CVE-2026-49459 affects DOMPurify prior to 3.4.6, where IN_PLACE mode could retain event-handler attributes on an attacker‑controlled root DOM due to _isClobbered logic and incomplete removal paths. Affected component: DOMPurify.sanitize(root, { IN_PLACE: true }) with a clobbered root form. Conseq...

6.1CVSS6.1AI score0.00254EPSS
Exploits0References3
Rows per page
Query Builder