Prototype pollution in DOMPurify - #VU126318
Published: April 16, 2026
Vulnerability identifier: #VU126318
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-1321
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Cure53
Affected software:
DOMPurify
DOMPurify
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary script code in the victim's browser.
The vulnerability exists due to prototype pollution in the USE_PROFILES attribute allowlist handling in DOMPurify when sanitizing markup with USE_PROFILES enabled in a runtime affected by Array.prototype pollution. A remote attacker can set a polluted Array.prototype property such as onclick or rely on an already polluted runtime to cause dangerous event handler attributes to be preserved and execute when rendered.
The issue affects cases where sanitized output is later added to the DOM.
Remediation
Install security update from vendor's website.