SB2026042938 - Multiple vulnerabilities in IBM DevOps Test Performance
Published: April 29, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Prototype pollution (CVE-ID: CVE-2026-41238)
The vulnerability allows a remote attacker to execute arbitrary script in a victim's browser.
The vulnerability exists due to improperly controlled modification of object prototype attributes in DOMPurify sanitize configuration handling when sanitizing user-supplied HTML with the default CUSTOM_ELEMENT_HANDLING behavior. A remote attacker can supply crafted HTML and leverage prior prototype pollution to execute arbitrary script in a victim's browser.
User interaction is required, and exploitation requires a prototype pollution primitive in the same execution context.
2) Cross-site scripting (CVE-ID: CVE-2026-41239)
The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.
The vulnerability exists due to improper neutralization of script-related template expressions in SAFE_FOR_TEMPLATES mode in the DOMPurify sanitizer when sanitizing crafted HTML and returning a DOM node with RETURN_DOM enabled. A remote attacker can supply specially crafted markup to execute arbitrary script in the victim's browser.
Exploitation requires the application to append the returned DOM to the document and process it with a client-side framework.
3) Permissive List of Allowed Inputs (CVE-ID: CVE-2026-41240)
The vulnerability allows a remote user to inject forbidden elements into sanitized output.
The vulnerability exists due to a permissive list of allowed inputs in tag filtering logic when sanitizing content with a function-based ADD_TAGS predicate and FORBID_TAGS configured. A remote user can supply crafted markup that uses forbidden tags to inject forbidden elements into sanitized output.
Only configurations that use a function-based ADD_TAGS predicate are vulnerable.
Remediation
Install update from vendor's website.