Main Vulnerability Database Vulnerabilities #VU132356

Cross-site scripting in DOMPurify - #VU132356

Published: May 27, 2026

Vulnerability identifier: #VU132356

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Cure53

Affected software:
DOMPurify

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary script code in the victim's browser.

The vulnerability exists due to improper neutralization of script-related html attributes in the in_place mode root element handling when sanitizing attacker-controlled root dom content. A remote attacker can supply a crafted root element whose clobbered attributes are preserved to execute arbitrary script code in the victim's browser.

User interaction is required to load or process the crafted content.

Remediation

Install security update from vendor's website.

Sources

https://github.com/cure53/DOMPurify/security/advisories/GHSA-r47g-fvhr-h676

Cross-site scripting in DOMPurify - #VU132356

Detailed vulnerability description

Remediation

Sources

Please verify you're human