Main Vulnerability Database Vulnerabilities #VU126560

Cross-site scripting in DOMPurify - CVE-2026-41239

Published: April 20, 2026

Vulnerability identifier: #VU126560

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

CVE-ID: CVE-2026-41239

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Cure53

Affected software:
DOMPurify

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.

The vulnerability exists due to improper neutralization of script-related template expressions in SAFE_FOR_TEMPLATES mode in the DOMPurify sanitizer when sanitizing crafted HTML and returning a DOM node with RETURN_DOM enabled. A remote attacker can supply specially crafted markup to execute arbitrary script in the victim's browser.

Exploitation requires the application to append the returned DOM to the document and process it with a client-side framework.

How to mitigate CVE-2026-41239

Install security update from vendor's website.

Sources

https://github.com/cure53/DOMPurify/security/advisories/GHSA-crv5-9vww-q3g8

Cross-site scripting in DOMPurify - CVE-2026-41239

Detailed vulnerability description

How to mitigate CVE-2026-41239

Sources

Please verify you're human