Moderate severityNVD Advisory· Published Feb 14, 2025· Updated Feb 14, 2025
CVE-2025-26791
CVE-2025-26791
Description
DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting (mXSS).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
dompurifynpm | < 3.2.4 | 3.2.4 |
Affected products
52- osv-coords51 versionspkg:apk/chainguard/grafana-image-rendererpkg:apk/chainguard/opensearch-dashboards-2pkg:apk/chainguard/opensearch-dashboards-2-alerting-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-anomaly-detection-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-compatpkg:apk/chainguard/opensearch-dashboards-2-configpkg:apk/chainguard/opensearch-dashboards-2-dashboards-mapspkg:apk/chainguard/opensearch-dashboards-2-dashboards-notificationspkg:apk/chainguard/opensearch-dashboards-2-dashboards-observabilitypkg:apk/chainguard/opensearch-dashboards-2-dashboards-query-workbenchpkg:apk/chainguard/opensearch-dashboards-2-dashboards-reportingpkg:apk/chainguard/opensearch-dashboards-2-dashboards-search-relevancepkg:apk/chainguard/opensearch-dashboards-2-dashboards-visualizationspkg:apk/chainguard/opensearch-dashboards-2-fipspkg:apk/chainguard/opensearch-dashboards-2-fips-alerting-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-fips-anomaly-detection-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-fips-configpkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-mapspkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-notificationspkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-observabilitypkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-query-workbenchpkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-reportingpkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-search-relevancepkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-visualizationspkg:apk/chainguard/opensearch-dashboards-2-fips-index-management-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-fips-ml-commons-dashboardspkg:apk/chainguard/opensearch-dashboards-2-fips-security-analytics-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-fips-security-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-index-management-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-ml-commons-dashboardspkg:apk/chainguard/opensearch-dashboards-2-security-analytics-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-security-dashboards-pluginpkg:apk/wolfi/grafana-image-rendererpkg:apk/wolfi/opensearch-dashboards-2pkg:apk/wolfi/opensearch-dashboards-2-alerting-dashboards-pluginpkg:apk/wolfi/opensearch-dashboards-2-anomaly-detection-dashboards-pluginpkg:apk/wolfi/opensearch-dashboards-2-compatpkg:apk/wolfi/opensearch-dashboards-2-configpkg:apk/wolfi/opensearch-dashboards-2-dashboards-mapspkg:apk/wolfi/opensearch-dashboards-2-dashboards-notificationspkg:apk/wolfi/opensearch-dashboards-2-dashboards-observabilitypkg:apk/wolfi/opensearch-dashboards-2-dashboards-query-workbenchpkg:apk/wolfi/opensearch-dashboards-2-dashboards-reportingpkg:apk/wolfi/opensearch-dashboards-2-dashboards-search-relevancepkg:apk/wolfi/opensearch-dashboards-2-dashboards-visualizationspkg:apk/wolfi/opensearch-dashboards-2-index-management-dashboards-pluginpkg:apk/wolfi/opensearch-dashboards-2-ml-commons-dashboardspkg:apk/wolfi/opensearch-dashboards-2-security-analytics-dashboards-pluginpkg:apk/wolfi/opensearch-dashboards-2-security-dashboards-pluginpkg:npm/dompurifypkg:rpm/opensuse/argocd-cli&distro=openSUSE%20Tumbleweed
< 3.12.1-r1+ 50 more
- (no CPE)range: < 3.12.1-r1
- (no CPE)range: < 2.19.0-r1
- (no CPE)range: < 2.19.0-r1
- (no CPE)range: < 2.19.0-r1
- (no CPE)range: < 2.19.0-r1
- (no CPE)range: < 2.19.0-r1
- (no CPE)range: < 2.19.0-r1
- (no CPE)range: < 2.19.0-r1
- (no CPE)range: < 2.19.0-r1
- (no CPE)range: < 2.19.0-r1
- (no CPE)range: < 2.19.0-r1
- (no CPE)range: < 2.19.0-r1
- (no CPE)range: < 2.19.0-r1
- (no CPE)range: < 2.19.0-r1
- (no CPE)range: < 2.19.0-r1
- (no CPE)range: < 2.19.0-r1
- (no CPE)range: < 2.19.0-r1
- (no CPE)range: < 2.19.0-r1
- (no CPE)range: < 2.19.0-r1
- (no CPE)range: < 2.19.0-r1
- (no CPE)range: < 2.19.0-r1
- (no CPE)range: < 2.19.0-r1
- (no CPE)range: < 2.19.0-r1
- (no CPE)range: < 2.19.0-r1
- (no CPE)range: < 2.19.0-r1
- (no CPE)range: < 2.19.0-r1
- (no CPE)range: < 2.19.0-r1
- (no CPE)range: < 2.19.0-r1
- (no CPE)range: < 2.19.0-r1
- (no CPE)range: < 2.19.0-r1
- (no CPE)range: < 2.19.0-r1
- (no CPE)range: < 2.19.0-r1
- (no CPE)range: < 3.12.1-r1
- (no CPE)range: < 2.19.0-r1
- (no CPE)range: < 2.19.0-r1
- (no CPE)range: < 2.19.0-r1
- (no CPE)range: < 2.19.0-r1
- (no CPE)range: < 2.19.0-r1
- (no CPE)range: < 2.19.0-r1
- (no CPE)range: < 2.19.0-r1
- (no CPE)range: < 2.19.0-r1
- (no CPE)range: < 2.19.0-r1
- (no CPE)range: < 2.19.0-r1
- (no CPE)range: < 2.19.0-r1
- (no CPE)range: < 2.19.0-r1
- (no CPE)range: < 2.19.0-r1
- (no CPE)range: < 2.19.0-r1
- (no CPE)range: < 2.19.0-r1
- (no CPE)range: < 2.19.0-r1
- (no CPE)range: < 3.2.4
- (no CPE)range: < 2.14.8-1.1
Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-vhxf-7vqr-mrjgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-26791ghsaADVISORY
- ensy.zip/posts/dompurify-323-bypassghsaWEB
- github.com/cure53/DOMPurify/commit/d18ffcb554e0001748865da03ac75dd7829f0f02ghsaWEB
- github.com/cure53/DOMPurify/releases/tag/3.2.4ghsaWEB
- nsysean.github.io/posts/dompurify-323-bypassghsaWEB
- ensy.zip/posts/dompurify-323-bypass/mitre
- nsysean.github.io/posts/dompurify-323-bypass/mitre
News mentions
0No linked articles in our index yet.