dompurify
npm14 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting dompurifypage 1 of 1
- CVE-2019-16728MEDIUMCVSS 6.1EG 6.1✓ Fixed in 2.0.32019-09-24
DOMPurify before 2.0.1 allows XSS because of innerHTML mutation XSS (mXSS) for an SVG element or a MATH element, as demonstrated by Chrome and Safari.
- CVE-2019-25155MEDIUMCVSS 6.1EG 6.1✓ Fixed in 1.0.112023-11-07
DOMPurify before 1.0.11 allows reverse tabnabbing in demos/hooks-target-blank-demo.html because links lack a 'rel="noopener noreferrer"' attribute.
- CVE-2020-26870MEDIUMCVSS 6.1EG 6.1✓ Fixed in 2.0.172020-10-07
Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM eleme…
- CVE-2024-45801HIGHCVSS 7.3EG 7.3✓ Fixed in 3.1.32024-09-16
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It …
- CVE-2024-47875CRITICALCVSS 10.0EG 10.0✓ Fixed in 3.1.32024-10-11
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to nesting-based mXSS. This vulnerability is fixed in 2.5.0 and 3.1.3.
- CVE-2024-48910CRITICALCVSS 9.1EG 9.1✓ Fixed in 2.4.22024-10-31
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify was vulnerable to prototype pollution. This vulnerability is fixed in 2.4.2.
- CVE-2025-26791MEDIUMCVSS 4.5EG 4.5✓ Fixed in 3.2.42025-02-14
DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting (mXSS).
- CVE-2026-41238MEDIUMCVSS 6.9EG 6.9✓ Fixed in 3.4.02026-04-23
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions 3.0.1 through 3.3.3 are vulnerable to a prototype pollution-based XSS bypass. When an application uses `DOMPurify.sanitize()` with the default confi…
- CVE-2026-41239MEDIUMCVSS 6.8EG 6.8✓ Fixed in 3.4.02026-04-23
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Starting in version 1.0.10 and prior to version 3.4.0, `SAFE_FOR_TEMPLATES` strips `{{...}}` expressions from untrusted HTML. This works in string mode but n…
- CVE-2026-41240MEDIUMCVSS 6.1EG 6.1✓ Fixed in 3.4.02026-04-23
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions prior to 3.4.0 have an inconsistency between FORBID_TAGS and FORBID_ATTR handling when function-based ADD_TAGS is used. Commit c361baa added an earl…
- CVE-2026-47423HIGHCVSS 8.2EG 8.2✓ Fixed in 3.4.52026-06-01
vulnerable: 3.4.4
DOMPurify XSS via selectedcontent re-clone ### Summary DOMPurify 3.4.4 allows `selectedcontent` by default, allowing a chain in which browsers "re-clone" an XSS payload after sanitization, effectively bypassing DOMPurify. ### Details Th…
- CVE-2026-49458MEDIUMCVSS 6.1EG 6.1✓ Fixed in 3.4.62026-06-15
DOMPurify: Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound `instanceof` checks # Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound `instanceof` checks **CWE**: CWE-79 (XSS…
- CVE-2026-49459MEDIUMCVSS 6.1EG 6.1✓ Fixed in 3.4.62026-06-15
DOMPurify: IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM # IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM **CW…
- CVE-2026-49978MEDIUMCVSS 0.0EG 0.0✓ Fixed in 3.4.72026-06-15
DOMPurify IN_PLACE Sanitization Bypass via Attached Shadow Root Inside <template>.content If the HTML you give it contains a <template> element, and inside that template there's an element with a shadow DOM attached to it, DOMPurify quiet…
Check whether dompurify is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for dompurify CVEs against the assets you own.
Start Free Scan →