Description
| Field | Value | |:——|:——| | Severity | Medium | | Affected | DOMPurify main at 883ac15, introduced in v1.0.10 (7fc196db) |
SAFE_FOR_TEMPLATES strips `` expressions from untrusted HTML.
Recommendation
Update the dompurify package to the latest compatible version. Followings are version details:
- Affected version(s): >= 1.0.10, < 3.4.0
- Patched version(s): 3.4.0
References
Related Issues
- Kysely has a MySQL SQL Injection via Backslash Escape Bypass in non-type-safe usage of JSON path keys. - CVE-2026-33442
- Parse Server has an auth provider validation bypass on login via partial authData - CVE-2026-33409
- Parse Server has a password reset token single-use bypass via concurrent requests - CVE-2026-32943
- Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries - CVE-2026-32728
You might also like:
- Tags:
- npm
- dompurify
Anything's wrong? Let us know Last updated on April 27, 2026