npm package
dompurify
pkg:npm/dompurify
Vulnerabilities (12)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-41240 | Med | 6.1 | < 3.4.0 | 3.4.0 | Apr 23, 2026 | DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions prior to 3.4.0 have an inconsistency between FORBID_TAGS and FORBID_ATTR handling when function-based ADD_TAGS is used. Commit c361baa added an early exit for FORBID_ATTR at line 1214. The | |
| CVE-2026-41239 | Med | 6.8 | >= 1.0.10, < 3.4.0 | 3.4.0 | Apr 23, 2026 | DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Starting in version 1.0.10 and prior to version 3.4.0, `SAFE_FOR_TEMPLATES` strips `{{...}}` expressions from untrusted HTML. This works in string mode but not with `RETURN_DOM` or `RETURN_DOM_FRAGM | |
| CVE-2026-41238 | Med | 6.9 | >= 3.0.1, < 3.4.0 | 3.4.0 | Apr 23, 2026 | DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions 3.0.1 through 3.3.3 are vulnerable to a prototype pollution-based XSS bypass. When an application uses `DOMPurify.sanitize()` with the default configuration (no `CUSTOM_ELEMENT_HANDLING` op | |
| CVE-2026-0540 | — | >= 3.1.3, < 3.3.2 | 3.3.2 | Mar 3, 2026 | DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_F | ||
| CVE-2025-15599 | — | >= 3.1.3, < 3.2.7 | 3.2.7 | Mar 3, 2026 | DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. Attackers can include closing rawtext tag | ||
| CVE-2025-26791 | — | < 3.2.4 | 3.2.4 | Feb 14, 2025 | DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting (mXSS). | ||
| CVE-2024-48910 | — | < 2.4.2 | 2.4.2 | Oct 31, 2024 | DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify was vulnerable to prototype pollution. This vulnerability is fixed in 2.4.2. | ||
| CVE-2024-47875 | — | < 2.5.0 | 2.5.0 | Oct 11, 2024 | DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to nesting-based mXSS. This vulnerability is fixed in 2.5.0 and 3.1.3. | ||
| CVE-2024-45801 | — | < 2.5.4 | 2.5.4 | Sep 16, 2024 | DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollut | ||
| CVE-2019-25155 | — | < 1.0.11 | 1.0.11 | Oct 31, 2023 | DOMPurify before 1.0.11 allows reverse tabnabbing in demos/hooks-target-blank-demo.html because links lack a 'rel="noopener noreferrer"' attribute. | ||
| CVE-2020-26870 | — | < 2.0.17 | 2.0.17 | Oct 7, 2020 | Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements. | ||
| CVE-2019-16728 | — | < 2.0.3 | 2.0.3 | Sep 24, 2019 | DOMPurify before 2.0.1 allows XSS because of innerHTML mutation XSS (mXSS) for an SVG element or a MATH element, as demonstrated by Chrome and Safari. |
- affected < 3.4.0fixed 3.4.0
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions prior to 3.4.0 have an inconsistency between FORBID_TAGS and FORBID_ATTR handling when function-based ADD_TAGS is used. Commit c361baa added an early exit for FORBID_ATTR at line 1214. The
- affected >= 1.0.10, < 3.4.0fixed 3.4.0
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Starting in version 1.0.10 and prior to version 3.4.0, `SAFE_FOR_TEMPLATES` strips `{{...}}` expressions from untrusted HTML. This works in string mode but not with `RETURN_DOM` or `RETURN_DOM_FRAGM
- affected >= 3.0.1, < 3.4.0fixed 3.4.0
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions 3.0.1 through 3.3.3 are vulnerable to a prototype pollution-based XSS bypass. When an application uses `DOMPurify.sanitize()` with the default configuration (no `CUSTOM_ELEMENT_HANDLING` op
- CVE-2026-0540Mar 3, 2026affected >= 3.1.3, < 3.3.2fixed 3.3.2
DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_F
- CVE-2025-15599Mar 3, 2026affected >= 3.1.3, < 3.2.7fixed 3.2.7
DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. Attackers can include closing rawtext tag
- CVE-2025-26791Feb 14, 2025affected < 3.2.4fixed 3.2.4
DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting (mXSS).
- CVE-2024-48910Oct 31, 2024affected < 2.4.2fixed 2.4.2
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify was vulnerable to prototype pollution. This vulnerability is fixed in 2.4.2.
- CVE-2024-47875Oct 11, 2024affected < 2.5.0fixed 2.5.0
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to nesting-based mXSS. This vulnerability is fixed in 2.5.0 and 3.1.3.
- CVE-2024-45801Sep 16, 2024affected < 2.5.4fixed 2.5.4
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollut
- CVE-2019-25155Oct 31, 2023affected < 1.0.11fixed 1.0.11
DOMPurify before 1.0.11 allows reverse tabnabbing in demos/hooks-target-blank-demo.html because links lack a 'rel="noopener noreferrer"' attribute.
- CVE-2020-26870Oct 7, 2020affected < 2.0.17fixed 2.0.17
Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements.
- CVE-2019-16728Sep 24, 2019affected < 2.0.3fixed 2.0.3
DOMPurify before 2.0.1 allows XSS because of innerHTML mutation XSS (mXSS) for an SVG element or a MATH element, as demonstrated by Chrome and Safari.