Lucene search
K

545 matches found

CNNVD
CNNVD
added 2026/04/23 12:0 a.m.24 views

DOMPurify 跨站脚本漏洞

DOMPurify is a JavaScript-based tool developed by Cure53’s individual developer, designed for working with the DOM Document Object Model in HTML, MathML, and SVG. Versions 3.0.1 to 3.3.3 of DOMPurify contain cross-site scripting vulnerabilities. These vulnerabilities stem from XSS attacks that...

6.9CVSS5.8AI score0.00225EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2026/04/23 12:0 a.m.7 views

Linux Distros Unpatched Vulnerability : CVE-2026-41238

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions 3.0.1 through 3.3.3 are vulnerable to a prototype pollution-based XSS...

6.9CVSS5.8AI score0.00225EPSS
Exploits0References4
Tenable Nessus
Tenable Nessus
added 2026/04/23 12:0 a.m.8 views

Linux Distros Unpatched Vulnerability : CVE-2026-41240

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions prior to 3.4.0 have an inconsistency between FORBIDTAGS and FORBIDATT...

6.1CVSS5.7AI score0.00263EPSS
Exploits1References3
Tenable Nessus
Tenable Nessus
added 2026/04/23 12:0 a.m.10 views

Linux Distros Unpatched Vulnerability : CVE-2026-41239

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Starting in version 1.0.10 and prior to version 3.4.0, SAFEFORTEMPLATES strips...

6.8CVSS5.7AI score0.00217EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/04/23 12:0 a.m.11 views

DOMPurify 跨站脚本漏洞

DOMPurify is a JavaScript-based tool developed by Cure53, designed for working with the DOM Document Object Model in HTML, MathML, and SVG. Versions of DOMPurify prior to 3.4.0 contained a cross-site scripting vulnerability. This vulnerability stemmed from inconsistencies in the handling of...

6.1CVSS5.7AI score0.00263EPSS
Exploits1References1
CNNVD
CNNVD
added 2026/04/23 12:0 a.m.11 views

DOMPurify 跨站脚本漏洞

DOMPurify is a JavaScript-based tool developed by Cure53’s individual developer, designed for working with the DOM Document Object Model in HTML, MathML, and SVG. Versions of DOMPurify from 1.0.10 to 3.4.0 contained a cross-site scripting vulnerability. This vulnerability occurred because the...

6.8CVSS5.6AI score0.00217EPSS
Exploits0References1
vulnersOsv
vulnersOsv
added 2026/04/22 5:34 p.m.8 views

011xwztpjn (=1.0.0), 02y9dg4qm3 (=1.0.0) +11431 more potentially affected by CVE-2026-41240 via dompurify (>=0.6.6 <=3.3.3)

dompurify NPM version =0.6.6, =3.3.3 is affected by a known vulnerability. The following packages have a transitive dependency on dompurify and may be impacted: - 011xwztpjn =1.0.0 - 02y9dg4qm3 =1.0.0 - 04tw75kmd9 =1.0.0 - 0650teqqly =1.0.0 - 097oi25ils =1.0.0 - 0a0fpniotn =1.0.0 - 0c7j76u46q...

6.1CVSS7.2AI score0.00263EPSS
Exploits1
OSV
OSV
added 2026/04/22 5:34 p.m.5 views

GHSA-H7MW-GPVR-XQ4M DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)

There is an inconsistency between FORBIDTAGS and FORBIDATTR handling when function-based ADDTAGS is used. Commit c361baa added an early exit for FORBIDATTR at line 1214: / FORBIDATTR must always win, even if ADDATTR predicate would allow it / if FORBIDATTRlcName return false; The same fix was not...

6CVSS5.7AI score0.00263EPSS
Exploits1References5
Github Security Blog
Github Security Blog
added 2026/04/22 5:34 p.m.19 views

DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)

There is an inconsistency between FORBIDTAGS and FORBIDATTR handling when function-based ADDTAGS is used. Commit c361baa added an early exit for FORBIDATTR at line 1214: / FORBIDATTR must always win, even if ADDATTR predicate would allow it / if FORBIDATTRlcName return false; The same fix was not...

6.1CVSS5.7AI score0.00263EPSS
Exploits1References5Affected Software1
vulnersOsv
vulnersOsv
added 2026/04/22 5:32 p.m.8 views

011xwztpjn (=1.0.0), 02y9dg4qm3 (=1.0.0) +11393 more potentially affected by CVE-2026-41239 via dompurify (>=1.0.10 <=3.3.3)

dompurify NPM version =1.0.10, =3.3.3 is affected by a known vulnerability. The following packages have a transitive dependency on dompurify and may be impacted: - 011xwztpjn =1.0.0 - 02y9dg4qm3 =1.0.0 - 04tw75kmd9 =1.0.0 - 0650teqqly =1.0.0 - 097oi25ils =1.0.0 - 0a0fpniotn =1.0.0 - 0c7j76u46q...

6.8CVSS5.7AI score0.00217EPSS
Exploits0
OSV
OSV
added 2026/04/22 5:32 p.m.2 views

GHSA-CRV5-9VWW-Q3G8 DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode

Summary | Field | Value | |:------|:------| | Severity | Medium | | Affected | DOMPurify main at 883ac15, introduced in v1.0.10 7fc196db | SAFEFORTEMPLATES strips ... expressions from untrusted HTML. This works in string mode but not with RETURNDOM or RETURNDOMFRAGMENT, allowing XSS via...

6.8CVSS5.8AI score0.00217EPSS
Exploits0References4
OSV
OSV
added 2026/04/22 5:31 p.m.5 views

GHSA-V9JR-RG53-9PGP DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback

Summary DOMPurify versions 3.0.1 through 3.3.3 latest are vulnerable to a prototype pollution-based XSS bypass. When an application uses DOMPurify.sanitize with the default configuration no CUSTOMELEMENTHANDLING option, a prior prototype pollution gadget can inject permissive tagNameCheck and...

6.9CVSS6AI score0.00225EPSS
Exploits0References4
vulnersOsv
vulnersOsv
added 2026/04/22 5:31 p.m.7 views

1router (>=0.3.96 <=1.0.2), 9router-custom (=0.3.55) +2166 more potentially affected by CVE-2026-41238 via dompurify (>=3.0.1 <=3.3.3)

dompurify NPM version =3.0.1, =0.3.96, =0.3.33, =0.5.0, =1.0.0, =1.5.1, =0.18.0-beta.0, =0.0.1, =0.1.0-alpha.1, =0.1.0, =0.1.0, =0.0.0-dev-20240828032938, =0.2.8-experimental.0, =1.2.0, =1.5.1 and more Source cves: CVE-2026-41238 Source advisory: OSV:GHSA-V9JR-RG53-9PGP...

6.9CVSS5.7AI score0.00225EPSS
Exploits0
Github Security Blog
Github Security Blog
added 2026/04/22 5:31 p.m.10 views

DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback

Summary DOMPurify versions 3.0.1 through 3.3.3 latest are vulnerable to a prototype pollution-based XSS bypass. When an application uses DOMPurify.sanitize with the default configuration no CUSTOMELEMENTHANDLING option, a prior prototype pollution gadget can inject permissive tagNameCheck and...

6.9CVSS7.4AI score0.00225EPSS
Exploits0References4Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2026/04/22 2:30 p.m.4 views

Security Bulletin: IBM Security SOAR is using a component with a known vulnerability (CVE-2025-15599)

Summary IBM Security SOAR uses an older version of the DOMPurify component that may be identified and exploited. Updates for supported versions have been released which address the issue. It is recommended to upgrade to version 51.0.9.2 Vulnerability Details CVEID:CVE-2025-15599 DESCRIPTION:...

6.1CVSS5.6AI score0.0034EPSS
Exploits0Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/22 12:0 a.m.6 views

PT-2026-34602

Name of the Vulnerable Software and Affected Versions DOMPurify versions 3.0.1 through 3.3.3 Description DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. A prototype pollution-based XSS bypass exists when the DOMPurify.sanitize function is used with the default...

6.9CVSS5.9AI score0.00225EPSS
Exploits0References212
Positive Technologies
Positive Technologies
added 2026/04/22 12:0 a.m.8 views

PT-2026-34603

Name of the Vulnerable Software and Affected Versions DOMPurify versions 1.0.10 through 3.3.x Description When the SAFE FOR TEMPLATES configuration is enabled, the software is intended to strip ... expressions from untrusted HTML to prevent cross-site scripting XSS in template-evaluating framewor...

6.8CVSS4.9AI score0.00217EPSS
Exploits0References213
Circl
Circl
added 2026/04/20 12:41 p.m.7 views

CVE-2026-41240

creationtimestamp| type| source ---|---|--- 2026-04-20 12:41:58+00:00| published-proof-of-concept| https://github.com/cure53/DOMPurify/security/advisories/GHSA-h7mw-gpvr-xq4m...

6.1CVSS5.8AI score0.00263EPSS
Exploits1References1
vulnersOsv
vulnersOsv
added 2026/04/19 9:0 p.m.7 views

011xwztpjn (=1.0.0), 02y9dg4qm3 (=1.0.0) +11393 more potentially affected by CVE-2026-41239 via dompurify (>=1.0.10 <=3.3.3)

dompurify NPM version =1.0.10, =3.3.3 is affected by a known vulnerability. The following packages have a transitive dependency on dompurify and may be impacted: - 011xwztpjn =1.0.0 - 02y9dg4qm3 =1.0.0 - 04tw75kmd9 =1.0.0 - 0650teqqly =1.0.0 - 097oi25ils =1.0.0 - 0a0fpniotn =1.0.0 - 0c7j76u46q...

6.8CVSS5.7AI score0.00217EPSS
Exploits0
vulnersOsv
vulnersOsv
added 2026/04/19 9:0 p.m.7 views

io.javalin.community.openapi:javalin-redoc-plugin (>=5.0.0 <=5.2.0), io.javalin.community.openapi:openapi-test (>=5.0.0 <=5.0.1) +12 more potentially affected by CVE-2026-41239 via org.webjars.npm:dompurify (>=2.5.8 <=3.3.0)

org.webjars.npm:dompurify MAVEN version =2.5.8, =5.0.0, =5.0.0, =1.96.0, =1.0.0, =1.0.0, =14.3.0, =0.54.0, =2.0.0, =3.1.1, =3.1.3, =3.2.2 - org.webjars.npm:tui-calendar =1.15.3 Source cves: CVE-2026-41239 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-16131136...

6.8CVSS5.8AI score0.00217EPSS
Exploits0
Rows per page
Query Builder