Main Vulnerability Database Vulnerabilities #VU132354

Trust Boundary Violation in DOMPurify - #VU132354

Published: May 27, 2026

Vulnerability identifier: #VU132354

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-501

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Cure53

Affected software:
DOMPurify

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass sanitization protections and inject disallowed HTML elements or attributes into sanitized output.

The vulnerability exists due to trust boundary violation in DOMPurify hook handling when processing hook callbacks that mutate data.allowedTags or data.allowedAttributes during sanitization with default configuration. A remote attacker can supply crafted content that is sanitized after a hook has widened the default allow-list to bypass sanitization protections and inject disallowed HTML elements or attributes into sanitized output.

User interaction is required to render attacker-influenced content, and the polluted allow-list persists for the lifetime of the DOMPurify instance until a new instance is created.

Remediation

Install security update from vendor's website.

Sources

https://github.com/cure53/DOMPurify/security/advisories/GHSA-76mc-f452-cxcm

Trust Boundary Violation in DOMPurify - #VU132354

Detailed vulnerability description

Remediation

Sources

Please verify you're human