Description
| Field | Value | |:——|:——| | Severity | Medium | | Affected | DOMPurify main at 883ac15, introduced in v1.0.10 (7fc196db) |
SAFE_FOR_TEMPLATES strips `` expressions from untrusted HTML.
Recommendation
Update the dompurify package to the latest compatible version. Followings are version details:
- Affected version(s): >= 1.0.10, < 3.4.0
- Patched version(s): 3.4.0
References
Related Issues
- Kysely has a MySQL SQL Injection via Backslash Escape Bypass in non-type-safe usage of JSON path keys. - CVE-2026-33442
- Parse Server has an auth provider validation bypass on login via partial authData - CVE-2026-33409
- Parse Server has a query condition depth bypass via pre-validation transform pipeline - CVE-2026-33498
- fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names - CVE-2026-25896
You might also like:
- Tags:
- npm
- dompurify
Anything's wrong? Let us know Last updated on April 27, 2026


