Cross-site scripting in DOMPurify - #VU132386
Published: May 27, 2026
Vulnerability identifier: #VU132386
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Cure53
Affected software:
DOMPurify
DOMPurify
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.
The vulnerability exists due to cross-site scripting in template content sanitization when processing HTML containing a template element with an attached shadow root inside template.content. A remote attacker can supply crafted HTML that survives sanitization to execute arbitrary script in the victim's browser.
Exploitation occurs when the application clones the template and inserts the result into the page.
Remediation
Install security update from vendor's website.