Medium severity6.1NVD Advisory· Published Apr 23, 2026· Updated Apr 29, 2026
CVE-2026-41240
CVE-2026-41240
Description
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions prior to 3.4.0 have an inconsistency between FORBID_TAGS and FORBID_ATTR handling when function-based ADD_TAGS is used. Commit c361baa added an early exit for FORBID_ATTR at line 1214. The same fix was not applied to FORBID_TAGS. At line 1118-1123, when EXTRA_ELEMENT_HANDLING.tagCheck returns true, the short-circuit evaluation skips the FORBID_TAGS check entirely. This allows forbidden elements to survive sanitization with their attributes intact. Version 3.4.0 patches the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
dompurifynpm | < 3.4.0 | 3.4.0 |
Affected products
19- osv-coords18 versionspkg:apk/chainguard/langfuse-fips-3pkg:apk/chainguard/langfuse-fips-3-workerpkg:apk/chainguard/nextcloud-server-33pkg:apk/chainguard/opensearch-dashboards-3pkg:apk/chainguard/opensearch-dashboards-3-fipspkg:apk/chainguard/wazuh-dashboard-alerting-dashboards-pluginpkg:apk/chainguard/wazuh-dashboard-anomaly-detection-dashboards-pluginpkg:apk/chainguard/wazuh-dashboard-dashboards-mapspkg:apk/chainguard/wazuh-dashboard-dashboards-notificationspkg:apk/chainguard/wazuh-dashboard-dashboards-reportingpkg:apk/chainguard/wazuh-dashboard-dashboards-visualizationspkg:apk/chainguard/wazuh-dashboard-index-management-dashboards-pluginpkg:apk/chainguard/wazuh-dashboard-pluginspkg:apk/chainguard/wazuh-dashboard-plugins-fipspkg:apk/wolfi/nextcloud-server-33pkg:apk/wolfi/opensearch-dashboards-3pkg:npm/dompurifypkg:rpm/opensuse/argocd-cli&distro=openSUSE%20Tumbleweed
< 3.164.0-r6+ 17 more
- (no CPE)range: < 3.164.0-r6
- (no CPE)range: < 3.164.0-r6
- (no CPE)range: < 33.0.6-r0
- (no CPE)range: < 3.6.0-r3
- (no CPE)range: < 3.6.0-r4
- (no CPE)range: < 4.14.4-r3
- (no CPE)range: < 4.14.4-r3
- (no CPE)range: < 4.14.4-r3
- (no CPE)range: < 4.14.4-r3
- (no CPE)range: < 4.14.4-r3
- (no CPE)range: < 4.14.4-r3
- (no CPE)range: < 4.14.4-r3
- (no CPE)range: < 4.14.4-r3
- (no CPE)range: < 4.14.4-r2
- (no CPE)range: < 33.0.6-r0
- (no CPE)range: < 3.6.0-r3
- (no CPE)range: < 3.4.0
- (no CPE)range: < 3.4.3-1.1
Patches
Vulnerability mechanics
References
5- github.com/cure53/DOMPurify/commit/c361baa18dbdcb3344a41110f4c48ad85bf48f80nvdPatchWEB
- github.com/cure53/DOMPurify/security/advisories/GHSA-h7mw-gpvr-xq4mnvdExploitMitigationPatchVendor AdvisoryWEB
- github.com/advisories/GHSA-h7mw-gpvr-xq4mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-41240ghsaADVISORY
- github.com/cure53/DOMPurify/releases/tag/3.4.0nvdProductRelease NotesWEB
News mentions
0No linked articles in our index yet.