Vulnerable Library - dompurify-2.4.7.tgz
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else usin
Library home page: https://registry.npmjs.org/dompurify/-/dompurify-2.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/dompurify/package.json
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (dompurify version) |
Remediation Possible** |
| CVE-2024-47875 |
 Critical |
9.3 |
dompurify-2.4.7.tgz |
Direct |
2.5.0 |
✅ |
| CVE-2026-41239 |
 High |
7.6 |
dompurify-2.4.7.tgz |
Direct |
3.4.0 |
✅ |
| CVE-2024-45801 |
 Medium |
6.9 |
dompurify-2.4.7.tgz |
Direct |
2.5.4 |
✅ |
| WS-2024-0017 |
Medium |
6.1 |
dompurify-2.4.7.tgz |
Direct |
domPurify - 2.5.8,3.2.3 |
✅ |
| CVE-2026-41240 |
Medium |
6.0 |
dompurify-2.4.7.tgz |
Direct |
dompurify - 3.4.0 |
✅ |
| CVE-2025-26791 |
 Low |
2.1 |
dompurify-2.4.7.tgz |
Direct |
dompurify - 3.2.4 |
✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-47875
Vulnerable Library - dompurify-2.4.7.tgz
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else usin
Library home page: https://registry.npmjs.org/dompurify/-/dompurify-2.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/dompurify/package.json
Dependency Hierarchy:
- ❌ dompurify-2.4.7.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to nesting-based mXSS. This vulnerability is fixed in 2.5.0 and 3.1.3.
Publish Date: 2024-10-11
URL: CVE-2024-47875
CVSS 4 Score Details (9.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-47875
Release Date: 2024-10-11
Fix Resolution: 2.5.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2026-41239
Vulnerable Library - dompurify-2.4.7.tgz
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else usin
Library home page: https://registry.npmjs.org/dompurify/-/dompurify-2.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/dompurify/package.json
Dependency Hierarchy:
- ❌ dompurify-2.4.7.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Summary | Field | Value | |:------|:------| | Severity | Medium | | Affected | DOMPurify "main" at ""883ac15"" (https://github.com/cure53/DOMPurify/tree/883ac15d47f907cb1a3b5a152fe90c4d8c10f9e6), introduced in v1.0.10 (""7fc196db"" (cure53/DOMPurify@7fc196d)) | "SAFE_FOR_TEMPLATES" strips "{{...}}" expressions from untrusted HTML. This works in string mode but not with "RETURN_DOM" or "RETURN_DOM_FRAGMENT", allowing XSS via template-evaluating frameworks like Vue 2. Technical Details DOMPurify strips template expressions in two passes: 1. Per-node — each text node is checked during the tree walk (""purify.ts:1179-1191"" (https://github.com/cure53/DOMPurify/blob/883ac15d47f907cb1a3b5a152fe90c4d8c10f9e6/src/purify.ts#L1179-L1191)): // pass #1: runs on every text node during tree walk if (SAFE_FOR_TEMPLATES && currentNode.nodeType === NODE_TYPE.text) { content = currentNode.textContent; content = content.replace(MUSTACHE_EXPR, ' '); // {{...}} -> ' ' content = content.replace(ERB_EXPR, ' '); // <%...%> -> ' ' content = content.replace(TMPLIT_EXPR, ' '); // ${... -> ' ' currentNode.textContent = content; } 2. Final string scrub — after serialization, the full HTML string is scrubbed again (""purify.ts:1679-1683"" (https://github.com/cure53/DOMPurify/blob/883ac15d47f907cb1a3b5a152fe90c4d8c10f9e6/src/purify.ts#L1679-L1683)). This is the safety net that catches expressions that only form after the DOM settles. The "RETURN_DOM" path returns before pass #2 ever runs (""purify.ts:1637-1661"" (https://github.com/cure53/DOMPurify/blob/883ac15d47f907cb1a3b5a152fe90c4d8c10f9e6/src/purify.ts#L1637-L1661)): // purify.ts (simplified) if (RETURN_DOM) { // ... build returnNode ... return returnNode; // <-- exits here, pass #2 never runs } // pass #2: only reached by string-mode callers if (SAFE_FOR_TEMPLATES) { serializedHTML = serializedHTML.replace(MUSTACHE_EXPR, ' '); } return serializedHTML; The payload "{{constructor.constructor('alert(1)')()}}" exploits this: 3. Parser creates: "TEXT("{")" → "" → "TEXT("{payload}")" → "" → "TEXT("}")" — no single node contains "{{", so pass #1 misses it 4. "" is not allowed, so DOMPurify removes it but keeps surrounding text 5. The three text nodes are now adjacent — ".outerHTML" reads them as "{{payload}}", which Vue 2 compiles and executes
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2026-04-23
URL: CVE-2026-41239
CVSS 4 Score Details (7.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: N/A
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-crv5-9vww-q3g8
Release Date: 2026-04-22
Fix Resolution: 3.4.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2024-45801
Vulnerable Library - dompurify-2.4.7.tgz
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else usin
Library home page: https://registry.npmjs.org/dompurify/-/dompurify-2.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/dompurify/package.json
Dependency Hierarchy:
- ❌ dompurify-2.4.7.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check. This renders dompurify unable to avoid cross site scripting (XSS) attacks. This issue has been addressed in versions 2.5.4 and 3.1.3 of DOMPurify. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2024-09-16
URL: CVE-2024-45801
CVSS 4 Score Details (6.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-mmhx-hmjr-r674
Release Date: 2024-09-16
Fix Resolution: 2.5.4
⛑️ Automatic Remediation will be attempted for this issue.
WS-2024-0017
Vulnerable Library - dompurify-2.4.7.tgz
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else usin
Library home page: https://registry.npmjs.org/dompurify/-/dompurify-2.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/dompurify/package.json
Dependency Hierarchy:
- ❌ dompurify-2.4.7.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Insufficient checks in DOMPurify allows an attacker to bypass sanitizers and execute arbitrary JavaScript code. This issue affects versions before 2.5.8 and 3.x before 3.2.3.
Publish Date: 2024-02-08
URL: WS-2024-0017
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2024-02-08
Fix Resolution: domPurify - 2.5.8,3.2.3
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2026-41240
Vulnerable Library - dompurify-2.4.7.tgz
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else usin
Library home page: https://registry.npmjs.org/dompurify/-/dompurify-2.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/dompurify/package.json
Dependency Hierarchy:
- ❌ dompurify-2.4.7.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
There is an inconsistency between FORBID_TAGS and FORBID_ATTR handling when function-based ADD_TAGS is used. Commit "c361baa" (cure53/DOMPurify@c361baa) added an early exit for FORBID_ATTR at line 1214: /* FORBID_ATTR must always win, even if ADD_ATTR predicate would allow it / if (FORBID_ATTR[lcName]) { return false; } The same fix was not applied to FORBID_TAGS. At line 1118-1123, when EXTRA_ELEMENT_HANDLING.tagCheck returns true, the short-circuit evaluation skips the FORBID_TAGS check entirely: if ( !( EXTRA_ELEMENT_HANDLING.tagCheck instanceof Function && EXTRA_ELEMENT_HANDLING.tagCheck(tagName) // true -> short-circuits ) && (!ALLOWED_TAGS[tagName] || FORBID_TAGS[tagName]) // never evaluated ) { This allows forbidden elements to survive sanitization with their attributes intact.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2026-04-23
URL: CVE-2026-41240
CVSS 4 Score Details (6.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: N/A
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-h7mw-gpvr-xq4m
Release Date: 2026-04-23
Fix Resolution: dompurify - 3.4.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2025-26791
Vulnerable Library - dompurify-2.4.7.tgz
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else usin
Library home page: https://registry.npmjs.org/dompurify/-/dompurify-2.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/dompurify/package.json
Dependency Hierarchy:
- ❌ dompurify-2.4.7.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting (mXSS).
Publish Date: 2025-02-14
URL: CVE-2025-26791
CVSS 4 Score Details (2.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2025-26791
Release Date: 2025-02-14
Fix Resolution: dompurify - 3.2.4
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else usin
Library home page: https://registry.npmjs.org/dompurify/-/dompurify-2.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/dompurify/package.json
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - dompurify-2.4.7.tgz
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else usin
Library home page: https://registry.npmjs.org/dompurify/-/dompurify-2.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/dompurify/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to nesting-based mXSS. This vulnerability is fixed in 2.5.0 and 3.1.3.
Publish Date: 2024-10-11
URL: CVE-2024-47875
CVSS 4 Score Details (9.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-47875
Release Date: 2024-10-11
Fix Resolution: 2.5.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - dompurify-2.4.7.tgz
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else usin
Library home page: https://registry.npmjs.org/dompurify/-/dompurify-2.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/dompurify/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Summary | Field | Value | |:------|:------| | Severity | Medium | | Affected | DOMPurify "main" at ""883ac15"" (https://github.com/cure53/DOMPurify/tree/883ac15d47f907cb1a3b5a152fe90c4d8c10f9e6), introduced in v1.0.10 (""7fc196db"" (cure53/DOMPurify@7fc196d)) | "SAFE_FOR_TEMPLATES" strips "{{...}}" expressions from untrusted HTML. This works in string mode but not with "RETURN_DOM" or "RETURN_DOM_FRAGMENT", allowing XSS via template-evaluating frameworks like Vue 2. Technical Details DOMPurify strips template expressions in two passes: 1. Per-node — each text node is checked during the tree walk (""purify.ts:1179-1191"" (https://github.com/cure53/DOMPurify/blob/883ac15d47f907cb1a3b5a152fe90c4d8c10f9e6/src/purify.ts#L1179-L1191)): // pass #1: runs on every text node during tree walk if (SAFE_FOR_TEMPLATES && currentNode.nodeType === NODE_TYPE.text) { content = currentNode.textContent; content = content.replace(MUSTACHE_EXPR, ' '); // {{...}} -> ' ' content = content.replace(ERB_EXPR, ' '); // <%...%> -> ' ' content = content.replace(TMPLIT_EXPR, ' '); // ${... -> ' ' currentNode.textContent = content; } 2. Final string scrub — after serialization, the full HTML string is scrubbed again (""purify.ts:1679-1683"" (https://github.com/cure53/DOMPurify/blob/883ac15d47f907cb1a3b5a152fe90c4d8c10f9e6/src/purify.ts#L1679-L1683)). This is the safety net that catches expressions that only form after the DOM settles. The "RETURN_DOM" path returns before pass #2 ever runs (""purify.ts:1637-1661"" (https://github.com/cure53/DOMPurify/blob/883ac15d47f907cb1a3b5a152fe90c4d8c10f9e6/src/purify.ts#L1637-L1661)): // purify.ts (simplified) if (RETURN_DOM) { // ... build returnNode ... return returnNode; // <-- exits here, pass #2 never runs } // pass #2: only reached by string-mode callers if (SAFE_FOR_TEMPLATES) { serializedHTML = serializedHTML.replace(MUSTACHE_EXPR, ' '); } return serializedHTML; The payload "{{constructor.constructor('alert(1)')()}}" exploits this: 3. Parser creates: "TEXT("{")" → "" → "TEXT("{payload}")" → "" → "TEXT("}")" — no single node contains "{{", so pass #1 misses it 4. "" is not allowed, so DOMPurify removes it but keeps surrounding text 5. The three text nodes are now adjacent — ".outerHTML" reads them as "{{payload}}", which Vue 2 compiles and executes
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2026-04-23
URL: CVE-2026-41239
CVSS 4 Score Details (7.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: N/A
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-crv5-9vww-q3g8
Release Date: 2026-04-22
Fix Resolution: 3.4.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - dompurify-2.4.7.tgz
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else usin
Library home page: https://registry.npmjs.org/dompurify/-/dompurify-2.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/dompurify/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check. This renders dompurify unable to avoid cross site scripting (XSS) attacks. This issue has been addressed in versions 2.5.4 and 3.1.3 of DOMPurify. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2024-09-16
URL: CVE-2024-45801
CVSS 4 Score Details (6.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-mmhx-hmjr-r674
Release Date: 2024-09-16
Fix Resolution: 2.5.4
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - dompurify-2.4.7.tgz
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else usin
Library home page: https://registry.npmjs.org/dompurify/-/dompurify-2.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/dompurify/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Insufficient checks in DOMPurify allows an attacker to bypass sanitizers and execute arbitrary JavaScript code. This issue affects versions before 2.5.8 and 3.x before 3.2.3.
Publish Date: 2024-02-08
URL: WS-2024-0017
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2024-02-08
Fix Resolution: domPurify - 2.5.8,3.2.3
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - dompurify-2.4.7.tgz
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else usin
Library home page: https://registry.npmjs.org/dompurify/-/dompurify-2.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/dompurify/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
There is an inconsistency between FORBID_TAGS and FORBID_ATTR handling when function-based ADD_TAGS is used. Commit "c361baa" (cure53/DOMPurify@c361baa) added an early exit for FORBID_ATTR at line 1214: /* FORBID_ATTR must always win, even if ADD_ATTR predicate would allow it / if (FORBID_ATTR[lcName]) { return false; } The same fix was not applied to FORBID_TAGS. At line 1118-1123, when EXTRA_ELEMENT_HANDLING.tagCheck returns true, the short-circuit evaluation skips the FORBID_TAGS check entirely: if ( !( EXTRA_ELEMENT_HANDLING.tagCheck instanceof Function && EXTRA_ELEMENT_HANDLING.tagCheck(tagName) // true -> short-circuits ) && (!ALLOWED_TAGS[tagName] || FORBID_TAGS[tagName]) // never evaluated ) { This allows forbidden elements to survive sanitization with their attributes intact.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2026-04-23
URL: CVE-2026-41240
CVSS 4 Score Details (6.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: N/A
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-h7mw-gpvr-xq4m
Release Date: 2026-04-23
Fix Resolution: dompurify - 3.4.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - dompurify-2.4.7.tgz
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else usin
Library home page: https://registry.npmjs.org/dompurify/-/dompurify-2.4.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/dompurify/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting (mXSS).
Publish Date: 2025-02-14
URL: CVE-2025-26791
CVSS 4 Score Details (2.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2025-26791
Release Date: 2025-02-14
Fix Resolution: dompurify - 3.2.4
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.