VYPR
Moderate severityNVD Advisory· Published Mar 3, 2026· Updated Mar 25, 2026

DOMPurify XSS via Missing Rawtext Elements in SAFE_FOR_XML

CVE-2026-0540

Description

DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex. Attackers can include payloads like in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
dompurifynpm
>= 3.1.3, < 3.3.23.3.2
dompurifynpm
>= 2.5.3, < 2.5.92.5.9

Affected products

105

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.