Main Vulnerability Database SB2026052306

SB2026052306 - Cross-site scripting in DOMPurify

Published: May 23, 2026

Security Bulletin ID SB2026052306

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Cross-site scripting (CVE-ID: CVE-2026-47423)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.

The vulnerability exists due to cross-site scripting in the DOMPurify string-input sanitization path when sanitizing attacker-controlled HTML containing selectedcontent. A remote attacker can supply crafted HTML that is sanitized and then inserted into the page to execute arbitrary script in the victim's browser.

User interaction is required to load content that processes attacker-controlled HTML and inserts the returned string into the page.

Remediation

Install update from vendor's website.

SB2026052306 - Cross-site scripting in DOMPurify

Breakdown by Severity

Description

Remediation

References

Please verify you're human