30 matches found
CVE-2026-0540
CVE-2026-0540 affects DOMPurify versions 3.1.3–3.3.1 and 2.5.3–2.5.8. The vulnerability arises from five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex, allowing crafted attribute values to bypass sanitization and trigger XSS when output is placed in...
CVE-2025-15599 DOMPurify XSS via Textarea Rawtext Bypass in SAFE_FOR_XML
DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFEFORXML regex. Attackers can include closing rawtext tags like in attribute...
EUVD-2025-208240
DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFEFORXML regex. Attackers can include closing rawtext tags like in attribute...
CVE-2025-15599
DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFEFORXML regex. Attackers can include closing rawtext tags like in attribute...
CVE-2025-15599 DOMPurify XSS via Textarea Rawtext Bypass in SAFE_FOR_XML
DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFEFORXML regex. Attackers can include closing rawtext tags like in attribute...
CVE-2025-15599
CVE-2025-15599 affects DOMPurify before and after versions 2.x and 3.x due to a missing textarea rawtext validation in SAFE_FOR_XML that allows bypassing attribute sanitization and executing JavaScript when sanitized output is placed inside rawtext elements. Affected ranges: 3.1.3–3.2.6 and 2.5.3...
CVE-2025-15599
DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFEFORXML regex. Attackers can include closing rawtext tags like in attribute...
PT-2026-22763
Name of the Vulnerable Software and Affected Versions DOMPurify versions 2.5.3 through 2.5.8 DOMPurify versions 3.1.3 through 3.2.6 Description DOMPurify contains a cross-site scripting issue that allows attackers to bypass attribute sanitization. This is due to missing textarea rawtext element...
PT-2026-22765
Name of the Vulnerable Software and Affected Versions DOMPurify versions 2.5.3 through 2.5.8 DOMPurify versions 3.1.3 through 3.3.1 Description DOMPurify contains a cross-site scripting issue that allows attackers to bypass attribute sanitization. This bypass is achieved by exploiting missing...
CVE-2019-12970
XSS was discovered in SquirrelMail through 1.4.22 and 1.5.x through 1.5.2. Due to improper handling of RCDATA and RAWTEXT type elements, the built-in sanitization mechanism can be bypassed. Malicious script content from HTML e-mail can be executed within the application context via crafted use of...