SB2026052729 - Multiple vulnerabilities in DOMPurify

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026052729

SB2026052729 - Multiple vulnerabilities in DOMPurify

Published: May 27, 2026

Security Bulletin ID SB2026052729
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 vulnerabilities.


1) Trust Boundary Violation (CVE-ID: N/A)

CWE-ID: CWE-501 - Trust Boundary Violation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to bypass sanitization protections and inject disallowed HTML elements or attributes into sanitized output.

The vulnerability exists due to trust boundary violation in DOMPurify hook handling when processing hook callbacks that mutate data.allowedTags or data.allowedAttributes during sanitization with default configuration. A remote attacker can supply crafted content that is sanitized after a hook has widened the default allow-list to bypass sanitization protections and inject disallowed HTML elements or attributes into sanitized output.

User interaction is required to render attacker-influenced content, and the polluted allow-list persists for the lifetime of the DOMPurify instance until a new instance is created.


2) Input validation error (CVE-ID: N/A)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.

The vulnerability exists due to improper input validation in the IN_PLACE sanitization logic when processing markup across realms. A remote attacker can supply specially crafted markup that bypasses realm-bound instanceof checks to execute arbitrary script in the victim's browser.

User interaction is required to process the crafted content.


3) Cross-site scripting (CVE-ID: N/A)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary script code in the victim's browser.

The vulnerability exists due to improper neutralization of script-related html attributes in the in_place mode root element handling when sanitizing attacker-controlled root dom content. A remote attacker can supply a crafted root element whose clobbered attributes are preserved to execute arbitrary script code in the victim's browser.

User interaction is required to load or process the crafted content.


Remediation

Install update from vendor's website.

References