SB2026041630 - Multiple vulnerabilities in DOMPurify
Published: April 16, 2026 Updated: April 20, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 vulnerabilities.
1) Improper Check for Unusual or Exceptional Conditions (CVE-ID: N/A)
CWE-ID: CWE-754 - Improper Check for Unusual or Exceptional Conditions
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary script in the parent document.
The vulnerability exists due to improper check for unusual or exceptional conditions in the IN_PLACE sanitization path when sanitizing a DOM element originating from a different window or realm. A remote attacker can cause the application to sanitize a crafted cross-window DOM element with IN_PLACE enabled to execute arbitrary script in the parent document.
Only the IN_PLACE DOM node path is affected. Exploitation requires the application to pass an element from a different window object, such as a same-origin iframe or opened window, and then render that element into the main document after sanitization.
2) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CVE-ID: N/A)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.
The vulnerability exists due to improper neutralization of input during web page generation in DOMPurify sanitize() configuration handling when reusing a shared DOMPurify instance across sanitize() calls with ADD_ATTR or ADD_TAGS supplied first as a function predicate and later as an array. A remote attacker can submit crafted HTML to trigger stale predicate state and execute arbitrary script in the victim's browser.
The issue can bypass explicit FORBID_TAGS settings and affects cases where a shared instance is used across different sanitization contexts.
3) Improper access control (CVE-ID: N/A)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to bypass tag filtering restrictions.
The vulnerability exists due to improper access control in the ADD_TAGS tag handling logic when processing sanitized HTML with both ADD_TAGS as a function and FORBID_TAGS enabled. A remote user can supply crafted markup using forbidden tags to bypass tag filtering restrictions.
Only applications that use ADD_TAGS in function form together with FORBID_TAGS are affected.
4) Prototype pollution (CVE-ID: CVE-2026-41238)
CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary script in a victim's browser.
The vulnerability exists due to improperly controlled modification of object prototype attributes in DOMPurify sanitize configuration handling when sanitizing user-supplied HTML with the default CUSTOM_ELEMENT_HANDLING behavior. A remote attacker can supply crafted HTML and leverage prior prototype pollution to execute arbitrary script in a victim's browser.
User interaction is required, and exploitation requires a prototype pollution primitive in the same execution context.
5) Cross-site scripting (CVE-ID: CVE-2026-41239)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.
The vulnerability exists due to improper neutralization of script-related template expressions in SAFE_FOR_TEMPLATES mode in the DOMPurify sanitizer when sanitizing crafted HTML and returning a DOM node with RETURN_DOM enabled. A remote attacker can supply specially crafted markup to execute arbitrary script in the victim's browser.
Exploitation requires the application to append the returned DOM to the document and process it with a client-side framework.
6) Permissive List of Allowed Inputs (CVE-ID: CVE-2026-41240)
CWE-ID: CWE-183 - Permissive List of Allowed Inputs
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to inject forbidden elements into sanitized output.
The vulnerability exists due to a permissive list of allowed inputs in tag filtering logic when sanitizing content with a function-based ADD_TAGS predicate and FORBID_TAGS configured. A remote user can supply crafted markup that uses forbidden tags to inject forbidden elements into sanitized output.
Only configurations that use a function-based ADD_TAGS predicate are vulnerable.
Remediation
Install update from vendor's website.
References
- https://github.com/cure53/DOMPurify/security/advisories/GHSA-4w3q-35jp-p934
- https://github.com/cure53/DOMPurify/security/advisories/GHSA-9p3w-6h5p-cv75
- https://github.com/cure53/DOMPurify/security/advisories/GHSA-39q2-94rc-95cp
- https://github.com/cure53/DOMPurify/security/advisories/GHSA-v9jr-rg53-9pgp
- https://github.com/advisories/GHSA-v9jr-rg53-9pgp
- https://github.com/cure53/DOMPurify/security/advisories/GHSA-crv5-9vww-q3g8
- https://github.com/cure53/DOMPurify/security/advisories/GHSA-h7mw-gpvr-xq4m