Description
A mutation-XSS (mXSS) condition was confirmed when sanitized HTML is reinserted into a new parsing context using innerHTML and special wrappers. The vulnerable wrappers confirmed in browser behavior are script, xmp, iframe, noembed, noframes, and noscript. The payload remains seemingly benign after DOMPurify.sanitize(), but mutates during the second parse into executable markup with an event handler, enabling JavaScript execution in the client (alert(1) in the PoC).
Recommendation
Update the dompurify package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.3.2
- Patched version(s): 3.3.2
References
Related Issues
- Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload - CVE-2026-30948
- Redwood is vulnerable to account takeover via dbAuth "forgot-password - Vulnerability
- Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() - Vulnerability
- CleverTap Web SDK is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage - CVE-2026-26862
- Tags:
- npm
- dompurify
Anything's wrong? Let us know Last updated on March 27, 2026