DOMPurify contains a Cross-site Scripting vulnerability (GHSA-v8jm-5vwx-cfxm)

Severity:: Medium

Description

DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex.

Recommendation

Update the dompurify package to the latest compatible version. Followings are version details:

Affected version(s): **>= 2.5.3, <= 2.5.8 >= 3.1.3, < 3.2.7**
Patched version(s): 3.2.7

References

GHSA-v8jm-5vwx-cfxm
www.vulncheck.com
CVE-2025-15599
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

DOMPurify contains a Cross-site Scripting vulnerability - CVE-2026-0540
QMarkdown Cross-Site Scripting (XSS) vulnerability - CVE-2025-43954
CKEditor 5 cross-site scripting (XSS) vulnerability in the clipboard package - CVE-2025-58064
bootstrap Cross-site Scripting vulnerability (GHSA-ph58-4vrj-w6hr) 2 - CVE-2018-20677

Tags:: npm; dompurify

Anything's wrong? Let us know Last updated on March 04, 2026