DOMPurify: Unprotected HTML Code Can Execute Malicious Scripts

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.5

DOMPurify: Unprotected HTML Code Can Execute Malicious Scripts

CVE-2026-0540 GHSA-v2wj-7wpq-c8vv GHSA-v2wj-7wpq-c8vv

Summary

DOMPurify versions 3.1.3 to 3.3.1 and 2.5.3 to 2.5.8 are affected by a security issue that allows hackers to inject malicious code into web pages. This could allow them to steal sensitive information or take control of user sessions. Update to version 2.5.9 or 3.3.2 to fix this issue.

What to do

Update cure53 dompurify to version 3.3.2.
Update cure53 dompurify to version 2.5.9.

Affected software

Vendor	Product	Affected versions	Fix available
cure53	dompurify	> 3.1.3 , <= 3.3.1	3.3.2
cure53	dompurify	> 2.5.3 , <= 2.5.8	2.5.9
cure53	dompurify	> 2.5.3 , <= 2.5.8	–
cure53	dompurify	> 3.1.3 , <= 3.3.1	–
cure53	dompurify	> 3.1.3 , <= 3.3.2	3.3.2
cure53	dompurify	> 2.5.3 , <= 2.5.9	2.5.9

Original title

DOMPurify contains a Cross-site Scripting vulnerability

Original description

DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in 2.5.9 and 3.3.2, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the `SAFE_FOR_XML` regex. Attackers can include payloads like `</noscript><img src=x onerror=alert(1)>` in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.

nvd CVSS3.1 6.1

nvd CVSS4.0 5.1

Vulnerability type

CWE-79 Cross-site Scripting (XSS)

Published: 3 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026