VYPR
Vendor

Cure53

Products
1
CVEs
12
Across products
12
Status
Private

Products

1

Recent CVEs

12
  • CVE-2025-48050HigMay 15, 2025
    risk 0.42cvss 7.5epss 0.00

    In DOMPurify through 3.2.5 before 6bc6d60, scripts/server.js does not ensure that a pathname is located under the current working directory. NOTE: the Supplier disputes the significance of this report because the "Uncontrolled data used in path expression" occurs "in a…

  • CVE-2026-47423higJun 1, 2026
    risk 0.38cvss epss 0.00

    ### Summary DOMPurify 3.4.4 allows `selectedcontent` by default, allowing a chain in which browsers "re-clone" an XSS payload after sanitization, effectively bypassing DOMPurify. ### Details The chain is as follows: 1. The browser parses the input and creates a…

  • CVE-2026-41240MedApr 23, 2026
    risk 0.33cvss 6.1epss 0.00

    DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions prior to 3.4.0 have an inconsistency between FORBID_TAGS and FORBID_ATTR handling when function-based ADD_TAGS is used. Commit c361baa added an early exit for FORBID_ATTR at line 1214. The…

  • CVE-2026-49978Jun 15, 2026
    risk 0.00cvss epss

    If the HTML you give it contains a element, and inside that template there's an element with a shadow DOM attached to it, DOMPurify quietly skips over the shadow contents. Whatever the attacker put in there - an image with an onerror handler, a link with a javascript:…

  • CVE-2026-49458Jun 15, 2026
    risk 0.00cvss epss

    # Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound `instanceof` checks **CWE**: CWE-79 (XSS — Improper Neutralization of Input During Web Page Generation) via CWE-693 (Protection Mechanism Failure — realm-bound `instanceof` checks fail-open…

  • CVE-2026-49459Jun 15, 2026
    risk 0.00cvss epss

    # IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM **CWE**: CWE-79 (XSS — Improper Neutralization of Input During Web Page Generation) via CWE-693 (Protection Mechanism Failure — silent no-op when `_forceRemove`…

  • CVE-2026-0540Mar 3, 2026
    risk 0.00cvss epss 0.00

    DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the…

  • CVE-2025-15599Mar 3, 2026
    risk 0.00cvss epss 0.00

    DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. Attackers can include closing rawtext…

  • CVE-2025-26791Feb 14, 2025
    risk 0.00cvss epss 0.01

    DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting (mXSS).

  • CVE-2024-48910Oct 31, 2024
    risk 0.00cvss epss 0.01

    DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify was vulnerable to prototype pollution. This vulnerability is fixed in 2.4.2.

  • CVE-2024-47875Oct 11, 2024
    risk 0.00cvss epss 0.01

    DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to nesting-based mXSS. This vulnerability is fixed in 2.5.0 and 3.1.3.

  • CVE-2024-45801Sep 16, 2024
    risk 0.00cvss epss 0.01

    DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype…