3 matches found
CVE-2026-49978
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Prior to 3.4.7, DOMPurify INPLACE sanitization could skip shadow contents attached to an element inside .content, allowing attacker-controlled markup such as event handlers, JavaScript URLs, or scripts to survive an...
CVE-2026-49978
CVE-2026-49978 affects DOMPurify, where IN_PLACE sanitization before version 3.4.7 could skip shadow contents inside a .content, allowing attacker-controlled markup (e.g., event handlers, JavaScript URLs, scripts) to survive during cloning and insertion of sanitized templates. The issue is fixed ...
CVE-2026-49978 DOMPurify IN_PLACE Sanitization Bypass via Attached Shadow Root Inside <template>.content
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Prior to 3.4.7, DOMPurify INPLACE sanitization could skip shadow contents attached to an element inside .content, allowing attacker-controlled markup such as event handlers, JavaScript URLs, or scripts to survive an...