Cure53

Dompurify

13 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
6.1

CVE-2026-41240

Exploit
  • EPSS 0.01%
  • Veröffentlicht 23.04.2026 14:54:32
  • Zuletzt bearbeitet 29.04.2026 14:58:30

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions prior to 3.4.0 have an inconsistency between FORBID_TAGS and FORBID_ATTR handling when function-based ADD_TAGS is used. Commit c361baa added an early exit for ...

6.8

CVE-2026-41239

  • EPSS 0.05%
  • Veröffentlicht 23.04.2026 14:47:56
  • Zuletzt bearbeitet 23.04.2026 16:18:41

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Starting in version 1.0.10 and prior to version 3.4.0, `SAFE_FOR_TEMPLATES` strips `{{...}}` expressions from untrusted HTML. This works in string mode but not with `RE...

6.9

CVE-2026-41238

  • EPSS 0.04%
  • Veröffentlicht 23.04.2026 14:43:17
  • Zuletzt bearbeitet 23.04.2026 18:16:29

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions 3.0.1 through 3.3.3 are vulnerable to a prototype pollution-based XSS bypass. When an application uses `DOMPurify.sanitize()` with the default configuration (n...

6.1

CVE-2026-0540

  • EPSS 0.01%
  • Veröffentlicht 03.03.2026 17:26:06
  • Zuletzt bearbeitet 25.03.2026 16:16:10

DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, n...

6.1

CVE-2025-15599

  • EPSS 0.04%
  • Veröffentlicht 03.03.2026 17:26:05
  • Zuletzt bearbeitet 05.03.2026 00:36:06

DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. Attackers c...

7.5

CVE-2025-48050

Medienbericht
  • EPSS 0.39%
  • Veröffentlicht 15.05.2025 00:00:00
  • Zuletzt bearbeitet 15.04.2026 00:35:42

In DOMPurify through 3.2.5 before 6bc6d60, scripts/server.js does not ensure that a pathname is located under the current working directory. NOTE: the Supplier disputes the significance of this report because the "Uncontrolled data used in path expre...

6.1

CVE-2025-26791

Exploit
  • EPSS 0.11%
  • Veröffentlicht 14.02.2025 09:15:08
  • Zuletzt bearbeitet 07.10.2025 20:56:12

DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting (mXSS).

9.8

CVE-2024-48910

  • EPSS 2.59%
  • Veröffentlicht 31.10.2024 15:15:15
  • Zuletzt bearbeitet 03.11.2025 21:16:31

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify was vulnerable to prototype pollution. This vulnerability is fixed in 2.4.2.

6.1

CVE-2024-47875

Medienbericht Exploit
  • EPSS 0.7%
  • Veröffentlicht 11.10.2024 15:15:05
  • Zuletzt bearbeitet 03.11.2025 21:16:30

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to nesting-based mXSS. This vulnerability is fixed in 2.5.0 and 3.1.3.

6.1

CVE-2024-45801

  • EPSS 0.1%
  • Veröffentlicht 16.09.2024 19:16:11
  • Zuletzt bearbeitet 22.09.2025 17:15:13

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also po...