Description
DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in 2.5.9 and 3.3.2, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex.
Recommendation
Update the dompurify package to the latest compatible version. Followings are version details:
Affected version(s): **>= 2.5.3, <= 2.5.8 >= 3.1.3, <= 3.3.1** Patched version(s): **2.5.9 3.3.2**
References
- GHSA-v2wj-7wpq-c8vv
- www.vulncheck.com
- fluidattacks.com
- CVE-2026-0540
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- DOMPurify contains a Cross-site Scripting vulnerability (GHSA-v8jm-5vwx-cfxm) - CVE-2025-15599
- Vulnogram contains a stored cross-site scripting vulnerability in comment hypertext handling - CVE-2026-32774
- html2pdf.js contains a cross-site scripting vulnerability - CVE-2026-22787
- beautiful-mermaid contains an SVG attribute injection issue that can lead to cross-site scripting (XSS) - CVE-2026-26226
- Tags:
- npm
- dompurify
Anything's wrong? Let us know Last updated on March 27, 2026