Medium severity6.8NVD Advisory· Published Apr 23, 2026· Updated Apr 23, 2026
CVE-2026-41239
CVE-2026-41239
Description
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Starting in version 1.0.10 and prior to version 3.4.0, SAFE_FOR_TEMPLATES strips {{...}} expressions from untrusted HTML. This works in string mode but not with RETURN_DOM or RETURN_DOM_FRAGMENT, allowing XSS via template-evaluating frameworks like Vue 2. Version 3.4.0 patches the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
dompurifynpm | >= 1.0.10, < 3.4.0 | 3.4.0 |
Affected products
17- osv-coords17 versionspkg:apk/chainguard/langfuse-fips-3pkg:apk/chainguard/langfuse-fips-3-workerpkg:apk/chainguard/nextcloud-server-33pkg:apk/chainguard/opensearch-dashboards-3pkg:apk/chainguard/opensearch-dashboards-3-fipspkg:apk/chainguard/wazuh-dashboard-alerting-dashboards-pluginpkg:apk/chainguard/wazuh-dashboard-anomaly-detection-dashboards-pluginpkg:apk/chainguard/wazuh-dashboard-dashboards-mapspkg:apk/chainguard/wazuh-dashboard-dashboards-notificationspkg:apk/chainguard/wazuh-dashboard-dashboards-reportingpkg:apk/chainguard/wazuh-dashboard-dashboards-visualizationspkg:apk/chainguard/wazuh-dashboard-index-management-dashboards-pluginpkg:apk/chainguard/wazuh-dashboard-pluginspkg:apk/chainguard/wazuh-dashboard-plugins-fipspkg:apk/wolfi/nextcloud-server-33pkg:apk/wolfi/opensearch-dashboards-3pkg:npm/dompurify
< 3.164.0-r6+ 16 more
- (no CPE)range: < 3.164.0-r6
- (no CPE)range: < 3.164.0-r6
- (no CPE)range: < 33.0.6-r0
- (no CPE)range: < 3.6.0-r3
- (no CPE)range: < 3.6.0-r4
- (no CPE)range: < 4.14.4-r3
- (no CPE)range: < 4.14.4-r3
- (no CPE)range: < 4.14.4-r3
- (no CPE)range: < 4.14.4-r3
- (no CPE)range: < 4.14.4-r3
- (no CPE)range: < 4.14.4-r3
- (no CPE)range: < 4.14.4-r3
- (no CPE)range: < 4.14.4-r3
- (no CPE)range: < 4.14.4-r2
- (no CPE)range: < 33.0.6-r0
- (no CPE)range: < 3.6.0-r3
- (no CPE)range: >= 1.0.10, < 3.4.0
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.