Lucene search
K

544 matches found

Snyk
Snyk
added 2026/04/19 9:0 p.m.6 views

Cross-site Scripting (XSS)

Overview org.webjars.npm:dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG. Affected versions of this package are vulnerable to Cross-site Scripting XSS leading to cross-site scripting, via custom elements. When CUSTOMELEMENTHANDLING is not enabled, and an attacker has already pollut...

6.9CVSS5.3AI score0.00205EPSS
Exploits0References2
vulnersOsv
vulnersOsv
added 2026/04/19 9:0 p.m.6 views

1router (>=0.3.96 <=1.0.2), 9router-custom (=0.3.55) +2166 more potentially affected by CVE-2026-41238 via dompurify (>=3.0.1 <=3.3.3)

dompurify NPM version =3.0.1, =0.3.96, =0.3.33, =0.5.0, =1.0.0, =1.5.1, =0.18.0-beta.0, =0.0.1, =0.1.0-alpha.1, =0.1.0, =0.1.0, =0.0.0-dev-20240828032938, =0.2.8-experimental.0, =1.2.0, =1.5.1 and more Source cves: CVE-2026-41238 Source advisory: SNYK:JS-DOMPURIFY-16132234...

6.9CVSS5.7AI score0.00205EPSS
Exploits0
vulnersOsv
vulnersOsv
added 2026/04/19 9:0 p.m.7 views

net.enilink.platform:net.enilink.platform.web (=1.6.0), org.webjars.npm:formio__core (=2.6.0) +1 more potentially affected by CVE-2026-41238 via org.webjars.npm:dompurify (>=3.1.7 <=3.3.0)

org.webjars.npm:dompurify MAVEN version =3.1.7, =0.54.0, =0.55.1 Source cves: CVE-2026-41238 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-16132235...

6.9CVSS5.8AI score0.00205EPSS
Exploits0
vulnersOsv
vulnersOsv
added 2026/04/19 9:0 p.m.7 views

io.javalin.community.openapi:javalin-redoc-plugin (>=5.0.0 <=5.2.0), io.javalin.community.openapi:openapi-test (>=5.0.0 <=5.0.1) +12 more potentially affected by CVE-2026-41239 via org.webjars.npm:dompurify (>=2.5.8 <=3.3.0)

org.webjars.npm:dompurify MAVEN version =2.5.8, =5.0.0, =5.0.0, =1.96.0, =1.0.0, =1.0.0, =14.3.0, =0.54.0, =2.0.0, =3.1.1, =3.1.3, =3.2.2 - org.webjars.npm:tui-calendar =1.15.3 Source cves: CVE-2026-41239 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-16131136...

6.8CVSS5.8AI score0.00217EPSS
Exploits0
vulnersOsv
vulnersOsv
added 2026/04/19 9:0 p.m.6 views

011xwztpjn (=1.0.0), 02y9dg4qm3 (=1.0.0) +11393 more potentially affected by CVE-2026-41239 via dompurify (>=1.0.10 <=3.3.3)

dompurify NPM version =1.0.10, =3.3.3 is affected by a known vulnerability. The following packages have a transitive dependency on dompurify and may be impacted: - 011xwztpjn =1.0.0 - 02y9dg4qm3 =1.0.0 - 04tw75kmd9 =1.0.0 - 0650teqqly =1.0.0 - 097oi25ils =1.0.0 - 0a0fpniotn =1.0.0 - 0c7j76u46q...

6.8CVSS5.7AI score0.00217EPSS
Exploits0
IBM Security Bulletins
IBM Security Bulletins
added 2026/04/16 11:9 a.m.7 views

Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoriong operands are vulnerable to cross-site scripting (GHSA-h8r8-wccr-v5f2, GHSA-cjmm-f4jc-qw8r) and prototype polution (GHSA-cj63-jhhr-wcxv)

Summary Node.js module dompurify is used by IBM App Connect Enterprise Certified Container. IBM App Connect Enterprise Certified Container DesignerAuthoring operands are vulnerable to cross-site scripting GHSA-h8r8-wccr-v5f2, GHSA-cjmm-f4jc-qw8r and prototype polution GHSA-cj63-jhhr-wcxv. This...

5.9AI score
Exploits0Affected Software1
OSV
OSV
added 2026/04/16 12:46 a.m.5 views

GHSA-39Q2-94RC-95CP DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation

Summary In src/purify.ts:1117-1123, ADDTAGS as a function via EXTRAELEMENTHANDLING.tagCheck bypasses FORBIDTAGS due to short-circuit evaluation. The condition: !tagChecktagName && !ALLOWEDTAGStagName || FORBIDTAGStagName When tagChecktagName returns true, the entire condition is false and the...

5.3CVSS5.8AI score
Exploits0References2
vulnersOsv
vulnersOsv
added 2026/04/16 12:46 a.m.6 views

1router (>=0.3.96 <=1.0.2), 9router-custom (=0.3.55) +2167 more potentially affected by CVE-2026-41240 via dompurify (>=3.0.0 <=3.3.3)

dompurify NPM version =3.0.0, =0.3.96, =0.3.33, =0.5.0, =1.0.0, =1.5.1, =0.18.0-beta.0, =0.0.1, =0.1.0-alpha.1, =0.1.0, =0.1.0, =0.0.0-dev-20240828032938, =0.2.8-experimental.0, =1.2.0, =1.5.1 and more Source cves: CVE-2026-41240 Source advisory: SNYK:JS-DOMPURIFY-16078387...

6.1CVSS7.2AI score0.00263EPSS
Exploits1
vulnersOsv
vulnersOsv
added 2026/04/16 12:46 a.m.8 views

net.enilink.platform:net.enilink.platform.web (=1.6.0), org.webjars.npm:formio__core (=2.6.0) +1 more potentially affected by CVE-2026-41240 via org.webjars.npm:dompurify (>=3.1.7 <=3.3.0)

org.webjars.npm:dompurify MAVEN version =3.1.7, =0.54.0, =0.55.1 Source cves: CVE-2026-41240 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-16078388...

6.1CVSS5.8AI score0.00263EPSS
Exploits1
Snyk
Snyk
added 2026/04/16 12:46 a.m.8 views

Operator Precedence Logic Error

Overview dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG. Affected versions of this package are vulnerable to Operator Precedence Logic Error in the form of short-circuit evaluation that gives precedence to ADDTAGS over FORBIDTAGS in sanitizeElements. In an application where ADDTAG...

8.1CVSS5.7AI score0.00263EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/16 12:46 a.m.4 views

Operator Precedence Logic Error

Overview org.webjars.npm:dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG. Affected versions of this package are vulnerable to Operator Precedence Logic Error in the form of short-circuit evaluation that gives precedence to ADDTAGS over FORBIDTAGS in sanitizeElements. In an...

8.1CVSS5.7AI score0.00263EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/04/16 12:46 a.m.14 views

DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation

Summary In src/purify.ts:1117-1123, ADDTAGS as a function via EXTRAELEMENTHANDLING.tagCheck bypasses FORBIDTAGS due to short-circuit evaluation. The condition: !tagChecktagName && !ALLOWEDTAGStagName || FORBIDTAGStagName When tagChecktagName returns true, the entire condition is false and the...

5.8AI score
Exploits0References2Affected Software1
Atlassian
Atlassian
added 2026/04/14 10:30 p.m.22 views

XSS (Cross Site Scripting) dompurify Dependency in Bamboo Data Center

This High severity XSS Cross Site Scripting vulnerability was introduced in versions 10.0.1, 10.2.15, 12.0.0 and 12.1.2 of Bamboo Data Center. This XSS Cross Site Scripting vulnerability, with a CVSS Score of 7.3 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L allows an...

7.3CVSS5.5AI score0.00844EPSS
Exploits0
IBM Security Bulletins
IBM Security Bulletins
added 2026/04/07 4:14 p.m.7 views

Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring operands are vulnerable to cross-site-scripting (CVE-2025-15599, CVE-2026-0540) and loss of confidentiality (CVE-2025-68470, CVE-2026-22029)

Summary Node.js modules DomPurify and React Router are used by IBM App Connect Enterprise Certified Container. IBM App Connect Enterprise Certified Container DesignerAuthoring operands are vulnerable to cross-site-scripting CVE-2025-15599, CVE-2026-0540 and loss of confidentiality CVE-2025-68470,...

8CVSS6.4AI score0.0077EPSS
Exploits0Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2026/04/07 3:38 p.m.4 views

Security Bulletin: DevOps Test Performance contains a vulnerability related to use of the DOMPurify library

Summary Due to the use of the DOMPurify library, DevOps Test Performance and Rational Performance Tester contain a cross-site scripting XSS vulnerability CVE-2025-15599, CVE-2026-0540 Vulnerability Details CVEID:CVE-2025-15599 DESCRIPTION: DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8...

6.1CVSS5.9AI score0.0034EPSS
Exploits0Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2026/04/06 4:27 p.m.19 views

Security Bulletin: SPSS Collaboration and Deployment Services is affected by vulnerabilities in DOMPurify (CVE-2025-15599, CVE-2026-0540)

Summary SPSS Collaboration and Deployment Services is affected by vulnerabilities in DOMPurify CVE-2025-15599, CVE-2026-0540. This has been addressed in the remediation section. Vulnerability Details CVEID:CVE-2025-15599 DESCRIPTION: DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a...

6.1CVSS5.9AI score0.0034EPSS
Exploits0Affected Software1
Snyk
Snyk
added 2026/04/03 3:46 a.m.6 views

Permissive List of Allowed Inputs

Overview dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG. Affected versions of this package are vulnerable to Permissive List of Allowed Inputs in the ADDATTR predicate function via EXTRAELEMENTHANDLING.attributeCheck. An attacker can inject and execute malicious scripts in the DOM...

6.1CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/04/03 3:46 a.m.6 views

Permissive List of Allowed Inputs

Overview org.webjars.npm:dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG. Affected versions of this package are vulnerable to Permissive List of Allowed Inputs in the ADDATTR predicate function via EXTRAELEMENTHANDLING.attributeCheck. An attacker can inject and execute malicious...

6.1CVSS6AI score
Exploits0References2
OSV
OSV
added 2026/04/03 3:46 a.m.11 views

GHSA-CJMM-F4JC-QW8R DOMPurify ADD_ATTR predicate skips URI validation

Summary DOMPurify allows ADDATTR to be provided as a predicate function via EXTRAELEMENTHANDLING.attributeCheck. When the predicate returns true, isValidAttribute short-circuits the attribute check before URI-safe validation runs. An attacker who supplies a predicate that accepts specific...

5.3CVSS6AI score
Exploits0References3
vulnersOsv
vulnersOsv
added 2026/04/03 3:46 a.m.6 views

1router (>=0.3.96 <=1.0.2), 9router-custom (=0.3.55) +2096 more potentially affected by unknown CVE via dompurify (>=3.0.0 <=3.3.1)

dompurify NPM version =3.0.0, =0.3.96, =0.3.33, =0.5.0, =1.0.0, =1.5.1, =0.18.0-beta.0, =0.0.1, =0.1.0-alpha.1, =0.1.0, =0.1.0, =0.0.0-dev-20240828032938, =0.2.8-experimental.0, =1.2.0, =1.5.1 and more Source cves: unknown CVE Source advisory: SNYK:JS-DOMPURIFY-15874905...

5.7AI score
Exploits0
Rows per page
Query Builder