580 matches found
CVE-2026-49978
A flaw was found in DOMPurify, a tool designed to sanitize HTML, MathML, and SVG to prevent cross-site scripting XSS attacks. When performing in-place sanitization, DOMPurify could fail to properly process content within shadow DOM elements attached to a .content. This oversight allows an attacke...
CVE-2026-49459
A flaw was found in DOMPurify, a library designed to sanitize HTML, MathML, and SVG to prevent cross-site scripting XSS attacks. A remote attacker could exploit a vulnerability in the DOMPurify.sanitize function when used with the INPLACE: true option. This flaw allows an attacker to bypass the...
CVE-2026-49458
A flaw was found in DOMPurify, a tool designed to prevent cross-site scripting XSS attacks by sanitizing HTML, MathML, and SVG content. When processing certain types of web page elements, DOMPurify failed to properly identify and sanitize malicious code. This oversight could allow an attacker to...
CVE-2026-47423
A flaw was found in DOMPurify, a DOM-only cross-site scripting XSS sanitizer. Due to the default allowance of selectedcontent, a remote attacker could craft a malicious payload that, after initial sanitization, could be re-cloned by browsers, leading to the execution of unsanitized markup. This...
CVE-2026-49978
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Prior to 3.4.7, DOMPurify INPLACE sanitization could skip shadow contents attached to an element inside .content, allowing attacker-controlled markup such as event handlers, JavaScript URLs, or scripts to survive an...
CVE-2026-49458
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Prior to 3.4.6, DOMPurify.sanitizenode, INPLACE: true accepted same-origin foreign-realm DOM nodes while follow-on checks used parent-realm constructors, causing instanceof checks for forms, named node maps, documen...
CVE-2026-49459
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Prior to 3.4.6, DOMPurify.sanitizeroot, INPLACE: true could preserve event-handler attributes on an attacker-controlled root when a descendant name clobbered properties checked by isClobbered, because forceRemove...
CVE-2026-47423
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. In 3.4.4, DOMPurify allowed selectedcontent by default, allowing browsers to re-clone an XSS payload after sanitization so that unsanitized markup inside is returned. This issue is fixed in version 3.4.5...
CVE-2026-49978 DOMPurify IN_PLACE Sanitization Bypass via Attached Shadow Root Inside <template>.content
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Prior to 3.4.7, DOMPurify INPLACE sanitization could skip shadow contents attached to an element inside .content, allowing attacker-controlled markup such as event handlers, JavaScript URLs, or scripts to survive an...
CVE-2026-49978
CVE-2026-49978 affects DOMPurify, where IN_PLACE sanitization before version 3.4.7 could skip shadow contents inside a .content, allowing attacker-controlled markup (e.g., event handlers, JavaScript URLs, scripts) to survive during cloning and insertion of sanitized templates. The issue is fixed ...
CVE-2026-49459 DOMPurify: IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Prior to 3.4.6, DOMPurify.sanitizeroot, INPLACE: true could preserve event-handler attributes on an attacker-controlled root when a descendant name clobbered properties checked by isClobbered, because forceRemove...
CVE-2026-49459 DOMPurify: IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Prior to 3.4.6, DOMPurify.sanitizeroot, INPLACE: true could preserve event-handler attributes on an attacker-controlled root when a descendant name clobbered properties checked by isClobbered, because forceRemove...
CVE-2026-49459
CVE-2026-49459 affects DOMPurify prior to 3.4.6, where IN_PLACE mode could retain event-handler attributes on an attacker‑controlled root DOM due to _isClobbered logic and incomplete removal paths. Affected component: DOMPurify.sanitize(root, { IN_PLACE: true }) with a clobbered root form. Conseq...
CVE-2026-49458 DOMPurify: Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound `instanceof` checks
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Prior to 3.4.6, DOMPurify.sanitizenode, INPLACE: true accepted same-origin foreign-realm DOM nodes while follow-on checks used parent-realm constructors, causing instanceof checks for forms, named node maps, documen...
CVE-2026-49458 DOMPurify: Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound `instanceof` checks
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Prior to 3.4.6, DOMPurify.sanitizenode, INPLACE: true accepted same-origin foreign-realm DOM nodes while follow-on checks used parent-realm constructors, causing instanceof checks for forms, named node maps, documen...
CVE-2026-49458
DOMPurify prior to v3.4.6 had a cross-realm IN_PLACE sanitization flaw where instanceof checks across realms allowed executable markup to bypass certain branches; fixed in v3.4.6. Affected: DOMPurify.sanitize with IN_PLACE in multi-realm scenarios. Mitigation: upgrade to DOMPurify 3.4.6 or later....
CVE-2026-47423 DOMPurify XSS via `selectedcontent` re-clone
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. In 3.4.4, DOMPurify allowed selectedcontent by default, allowing browsers to re-clone an XSS payload after sanitization so that unsanitized markup inside is returned. This issue is fixed in version 3.4.5...
CVE-2026-47423
DOMPurify 3.4.4 contains a default allowlist misconfiguration that lets the selectedcontent element bypass sanitization by browser re-cloning after DOMPurify processes the subtree. This creates an XSS risk when attacker-controlled HTML is sanitized and then inserted (e.g., via innerHTML), since t...
CVE-2026-47423 DOMPurify XSS via `selectedcontent` re-clone
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. In 3.4.4, DOMPurify allowed selectedcontent by default, allowing browsers to re-clone an XSS payload after sanitization so that unsanitized markup inside is returned. This issue is fixed in version 3.4.5...
ROOT-APP-NPM-CVE-2026-0540 CVE-2026-0540 in @rootio/dompurify - Patched by Root
Root has patched CVE-2026-0540 in the @rootio/dompurify package for Root:npm. Multiple fixed versions available...