545 matches found
DOMPurify 跨站脚本漏洞
DOMPurify is a JavaScript-based tool developed by Cure53’s individual developer, designed for working with the DOM Document Object Model in HTML, MathML, and SVG. Versions 3.0.1 to 3.3.3 of DOMPurify contain cross-site scripting vulnerabilities. These vulnerabilities stem from XSS attacks that...
Linux Distros Unpatched Vulnerability : CVE-2026-41238
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions 3.0.1 through 3.3.3 are vulnerable to a prototype pollution-based XSS...
Linux Distros Unpatched Vulnerability : CVE-2026-41240
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions prior to 3.4.0 have an inconsistency between FORBIDTAGS and FORBIDATT...
Linux Distros Unpatched Vulnerability : CVE-2026-41239
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Starting in version 1.0.10 and prior to version 3.4.0, SAFEFORTEMPLATES strips...
DOMPurify 跨站脚本漏洞
DOMPurify is a JavaScript-based tool developed by Cure53, designed for working with the DOM Document Object Model in HTML, MathML, and SVG. Versions of DOMPurify prior to 3.4.0 contained a cross-site scripting vulnerability. This vulnerability stemmed from inconsistencies in the handling of...
DOMPurify 跨站脚本漏洞
DOMPurify is a JavaScript-based tool developed by Cure53’s individual developer, designed for working with the DOM Document Object Model in HTML, MathML, and SVG. Versions of DOMPurify from 1.0.10 to 3.4.0 contained a cross-site scripting vulnerability. This vulnerability occurred because the...
011xwztpjn (=1.0.0), 02y9dg4qm3 (=1.0.0) +11431 more potentially affected by CVE-2026-41240 via dompurify (>=0.6.6 <=3.3.3)
dompurify NPM version =0.6.6, =3.3.3 is affected by a known vulnerability. The following packages have a transitive dependency on dompurify and may be impacted: - 011xwztpjn =1.0.0 - 02y9dg4qm3 =1.0.0 - 04tw75kmd9 =1.0.0 - 0650teqqly =1.0.0 - 097oi25ils =1.0.0 - 0a0fpniotn =1.0.0 - 0c7j76u46q...
GHSA-H7MW-GPVR-XQ4M DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)
There is an inconsistency between FORBIDTAGS and FORBIDATTR handling when function-based ADDTAGS is used. Commit c361baa added an early exit for FORBIDATTR at line 1214: / FORBIDATTR must always win, even if ADDATTR predicate would allow it / if FORBIDATTRlcName return false; The same fix was not...
DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)
There is an inconsistency between FORBIDTAGS and FORBIDATTR handling when function-based ADDTAGS is used. Commit c361baa added an early exit for FORBIDATTR at line 1214: / FORBIDATTR must always win, even if ADDATTR predicate would allow it / if FORBIDATTRlcName return false; The same fix was not...
011xwztpjn (=1.0.0), 02y9dg4qm3 (=1.0.0) +11393 more potentially affected by CVE-2026-41239 via dompurify (>=1.0.10 <=3.3.3)
dompurify NPM version =1.0.10, =3.3.3 is affected by a known vulnerability. The following packages have a transitive dependency on dompurify and may be impacted: - 011xwztpjn =1.0.0 - 02y9dg4qm3 =1.0.0 - 04tw75kmd9 =1.0.0 - 0650teqqly =1.0.0 - 097oi25ils =1.0.0 - 0a0fpniotn =1.0.0 - 0c7j76u46q...
GHSA-CRV5-9VWW-Q3G8 DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode
Summary | Field | Value | |:------|:------| | Severity | Medium | | Affected | DOMPurify main at 883ac15, introduced in v1.0.10 7fc196db | SAFEFORTEMPLATES strips ... expressions from untrusted HTML. This works in string mode but not with RETURNDOM or RETURNDOMFRAGMENT, allowing XSS via...
GHSA-V9JR-RG53-9PGP DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback
Summary DOMPurify versions 3.0.1 through 3.3.3 latest are vulnerable to a prototype pollution-based XSS bypass. When an application uses DOMPurify.sanitize with the default configuration no CUSTOMELEMENTHANDLING option, a prior prototype pollution gadget can inject permissive tagNameCheck and...
1router (>=0.3.96 <=1.0.2), 9router-custom (=0.3.55) +2166 more potentially affected by CVE-2026-41238 via dompurify (>=3.0.1 <=3.3.3)
dompurify NPM version =3.0.1, =0.3.96, =0.3.33, =0.5.0, =1.0.0, =1.5.1, =0.18.0-beta.0, =0.0.1, =0.1.0-alpha.1, =0.1.0, =0.1.0, =0.0.0-dev-20240828032938, =0.2.8-experimental.0, =1.2.0, =1.5.1 and more Source cves: CVE-2026-41238 Source advisory: OSV:GHSA-V9JR-RG53-9PGP...
DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback
Summary DOMPurify versions 3.0.1 through 3.3.3 latest are vulnerable to a prototype pollution-based XSS bypass. When an application uses DOMPurify.sanitize with the default configuration no CUSTOMELEMENTHANDLING option, a prior prototype pollution gadget can inject permissive tagNameCheck and...
Security Bulletin: IBM Security SOAR is using a component with a known vulnerability (CVE-2025-15599)
Summary IBM Security SOAR uses an older version of the DOMPurify component that may be identified and exploited. Updates for supported versions have been released which address the issue. It is recommended to upgrade to version 51.0.9.2 Vulnerability Details CVEID:CVE-2025-15599 DESCRIPTION:...
PT-2026-34602
Name of the Vulnerable Software and Affected Versions DOMPurify versions 3.0.1 through 3.3.3 Description DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. A prototype pollution-based XSS bypass exists when the DOMPurify.sanitize function is used with the default...
PT-2026-34603
Name of the Vulnerable Software and Affected Versions DOMPurify versions 1.0.10 through 3.3.x Description When the SAFE FOR TEMPLATES configuration is enabled, the software is intended to strip ... expressions from untrusted HTML to prevent cross-site scripting XSS in template-evaluating framewor...
CVE-2026-41240
creationtimestamp| type| source ---|---|--- 2026-04-20 12:41:58+00:00| published-proof-of-concept| https://github.com/cure53/DOMPurify/security/advisories/GHSA-h7mw-gpvr-xq4m...
011xwztpjn (=1.0.0), 02y9dg4qm3 (=1.0.0) +11393 more potentially affected by CVE-2026-41239 via dompurify (>=1.0.10 <=3.3.3)
dompurify NPM version =1.0.10, =3.3.3 is affected by a known vulnerability. The following packages have a transitive dependency on dompurify and may be impacted: - 011xwztpjn =1.0.0 - 02y9dg4qm3 =1.0.0 - 04tw75kmd9 =1.0.0 - 0650teqqly =1.0.0 - 097oi25ils =1.0.0 - 0a0fpniotn =1.0.0 - 0c7j76u46q...
io.javalin.community.openapi:javalin-redoc-plugin (>=5.0.0 <=5.2.0), io.javalin.community.openapi:openapi-test (>=5.0.0 <=5.0.1) +12 more potentially affected by CVE-2026-41239 via org.webjars.npm:dompurify (>=2.5.8 <=3.3.0)
org.webjars.npm:dompurify MAVEN version =2.5.8, =5.0.0, =5.0.0, =1.96.0, =1.0.0, =1.0.0, =14.3.0, =0.54.0, =2.0.0, =3.1.1, =3.1.3, =3.2.2 - org.webjars.npm:tui-calendar =1.15.3 Source cves: CVE-2026-41239 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-16131136...