VYPR
Moderate severityNVD Advisory· Published Mar 3, 2026· Updated Mar 3, 2026

DOMPurify XSS via Textarea Rawtext Bypass in SAFE_FOR_XML

CVE-2025-15599

Description

DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. Attackers can include closing rawtext tags like in attribute values to break out of rawtext contexts and execute JavaScript when sanitized output is placed inside rawtext elements. The 3.x branch was fixed in 3.2.7; the 2.x branch was never patched.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
dompurifynpm
>= 3.1.3, < 3.2.73.2.7
dompurifynpm
>= 2.5.3, <= 2.5.8

Affected products

19

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.