Cure53 Dompurify
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Cure53 Dompurify.
By the Year
In 2026 there have been 5 vulnerabilities in Cure53 Dompurify with an average score of 6.5 out of ten. Dompurify did not have any published security vulnerabilities last year. That is, 5 more vulnerabilities have already been reported in 2026 as compared to last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 5 | 6.48 |
| 2025 | 0 | 0.00 |
| 2024 | 1 | 9.10 |
| 2023 | 1 | 0.00 |
| 2022 | 0 | 0.00 |
| 2021 | 0 | 0.00 |
| 2020 | 1 | 6.10 |
| 2019 | 1 | 6.10 |
It may take a day or so for new Dompurify vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Cure53 Dompurify Security Vulnerabilities
DOMPurify <=3.3.5: FORBID_TAGS/ATTR skip leads to XSS
CVE-2026-41240
- April 23, 2026
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions prior to 3.4.0 have an inconsistency between FORBID_TAGS and FORBID_ATTR handling when function-based ADD_TAGS is used. Commit c361baa added an early exit for FORBID_ATTR at line 1214. The same fix was not applied to FORBID_TAGS. At line 1118-1123, when EXTRA_ELEMENT_HANDLING.tagCheck returns true, the short-circuit evaluation skips the FORBID_TAGS check entirely. This allows forbidden elements to survive sanitization with their attributes intact. Version 3.4.0 patches the issue.
Allowlist / Allow List
DOMPurify 1.0.103.3.9 XSS via SAFE_FOR_TEMPLATES
CVE-2026-41239
6.8 - Medium
- April 23, 2026
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Starting in version 1.0.10 and prior to version 3.4.0, `SAFE_FOR_TEMPLATES` strips `{{...}}` expressions from untrusted HTML. This works in string mode but not with `RETURN_DOM` or `RETURN_DOM_FRAGMENT`, allowing XSS via template-evaluating frameworks like Vue 2. Version 3.4.0 patches the issue.
XSS
DOMPurify 3.0.1-3.3.3: XSS by Prototype Pollution (fixed in 3.4.0)
CVE-2026-41238
6.9 - Medium
- April 23, 2026
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions 3.0.1 through 3.3.3 are vulnerable to a prototype pollution-based XSS bypass. When an application uses `DOMPurify.sanitize()` with the default configuration (no `CUSTOM_ELEMENT_HANDLING` option), a prior prototype pollution gadget can inject permissive `tagNameCheck` and `attributeNameCheck` regex values into `Object.prototype`, causing DOMPurify to allow arbitrary custom elements with arbitrary attributes including event handlers through sanitization. Version 3.4.0 fixes the issue.
XSS
DOMPurify 3.1.3-3.3.1 XSS via Missing Rawtext Elements
CVE-2026-0540
6.1 - Medium
- March 03, 2026
DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex. Attackers can include payloads like </noscript><img src=x onerror=alert(1)> in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.
XSS
XSS via missing textarea check in DOMPurify 3.1.33.2.6 & 2.5.32.5.8
CVE-2025-15599
6.1 - Medium
- March 03, 2026
DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. Attackers can include closing rawtext tags like </textarea> in attribute values to break out of rawtext contexts and execute JavaScript when sanitized output is placed inside rawtext elements. The 3.x branch was fixed in 3.2.7; the 2.x branch was never patched.
XSS
DOMPurify Prototype Pollution XSS | Vulnerable before 2.4.2
CVE-2024-48910
9.1 - Critical
- October 31, 2024
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify was vulnerable to prototype pollution. This vulnerability is fixed in 2.4.2.
Prototype Pollution
DOMPurify <1.0.11 RevTabnabbing via missing rel=noopener in demo
CVE-2019-25155
- November 07, 2023
DOMPurify before 1.0.11 allows reverse tabnabbing in demos/hooks-target-blank-demo.html because links lack a 'rel="noopener noreferrer"' attribute.
Cure53 DOMPurify before 2.0.17 allows mutation XSS
CVE-2020-26870
6.1 - Medium
- October 07, 2020
Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements.
XSS
DOMPurify before 2.0.1
CVE-2019-16728
6.1 - Medium
- September 24, 2019
DOMPurify before 2.0.1 allows XSS because of innerHTML mutation XSS (mXSS) for an SVG element or a MATH element, as demonstrated by Chrome and Safari.
XSS
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Cure53 Dompurify or by Cure53? Click the Watch button to subscribe.
