DOMPurify: Malicious Code Injection Through Sanitized Text

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.5

DOMPurify: Malicious Code Injection Through Sanitized Text

CVE-2025-15599 GHSA-v8jm-5vwx-cfxm GHSA-v8jm-5vwx-cfxm

Summary

DOMPurify, a JavaScript library used to sanitize user input, has a security flaw that can allow hackers to inject malicious code into your website. This could lead to unauthorized actions being performed on your site. Update to the latest version of DOMPurify to fix this issue, especially if you're using version 3.x.

What to do

Update cure53 dompurify to version 3.2.7.

Affected software

Vendor	Product	Affected versions	Fix available
cure53	dompurify	> 3.1.3 , <= 3.2.7	3.2.7
cure53	dompurify	> 2.5.3 , <= 2.5.8	–
cure53	dompurify	> 2.5.3 , <= 2.5.8	–
cure53	dompurify	> 3.1.3 , <= 3.2.7	–

Original title

DOMPurify contains a Cross-site Scripting vulnerability

Original description

DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. Attackers can include closing rawtext tags like </textarea> in attribute values to break out of rawtext contexts and execute JavaScript when sanitized output is placed inside rawtext elements. The 3.x branch was fixed in 3.2.7; the 2.x branch was never patched.

nvd CVSS3.1 6.1

nvd CVSS4.0 5.1

Vulnerability type

CWE-79 Cross-site Scripting (XSS)

Published: 3 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026