SB2026041630 - Multiple vulnerabilities in DOMPurify

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026041630

SB2026041630 - Multiple vulnerabilities in DOMPurify

Published: April 16, 2026

Security Bulletin ID SB2026041630
Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Improper Check for Unusual or Exceptional Conditions (CVE-ID: N/A)

The vulnerability allows a remote attacker to execute arbitrary script in the parent document.

The vulnerability exists due to improper check for unusual or exceptional conditions in the IN_PLACE sanitization path when sanitizing a DOM element originating from a different window or realm. A remote attacker can cause the application to sanitize a crafted cross-window DOM element with IN_PLACE enabled to execute arbitrary script in the parent document.

Only the IN_PLACE DOM node path is affected. Exploitation requires the application to pass an element from a different window object, such as a same-origin iframe or opened window, and then render that element into the main document after sanitization.


2) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CVE-ID: N/A)

The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.

The vulnerability exists due to improper neutralization of input during web page generation in DOMPurify sanitize() configuration handling when reusing a shared DOMPurify instance across sanitize() calls with ADD_ATTR or ADD_TAGS supplied first as a function predicate and later as an array. A remote attacker can submit crafted HTML to trigger stale predicate state and execute arbitrary script in the victim's browser.

The issue can bypass explicit FORBID_TAGS settings and affects cases where a shared instance is used across different sanitization contexts.


3) Improper access control (CVE-ID: N/A)

The vulnerability allows a remote user to bypass tag filtering restrictions.

The vulnerability exists due to improper access control in the ADD_TAGS tag handling logic when processing sanitized HTML with both ADD_TAGS as a function and FORBID_TAGS enabled. A remote user can supply crafted markup using forbidden tags to bypass tag filtering restrictions.

Only applications that use ADD_TAGS in function form together with FORBID_TAGS are affected.


Remediation

Install update from vendor's website.

References