Cross-site scripting in DOMPurify - CVE-2026-47423
Published: May 23, 2026
Vulnerability identifier: #VU132186
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
CVE-ID: CVE-2026-47423
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Cure53
Affected software:
DOMPurify
DOMPurify
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.
The vulnerability exists due to cross-site scripting in the DOMPurify string-input sanitization path when sanitizing attacker-controlled HTML containing selectedcontent. A remote attacker can supply crafted HTML that is sanitized and then inserted into the page to execute arbitrary script in the victim's browser.
User interaction is required to load content that processes attacker-controlled HTML and inserts the returned string into the page.
How to mitigate CVE-2026-47423
Install security update from vendor's website.