Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

DOMPurify — Vulnerabilities & Security Advisories 14

All 14 CVE vulnerabilities found in DOMPurify, with AI-generated Chinese analysis, references, and POCs.

This page presents a comprehensive aggregation of vulnerabilities associated with DOMPurify, an open-source JavaScript DOM sanitizer library, specifically focusing on cross-site scripting weaknesses. It compiles detailed records of security defects identified in the product, covering advisory releases from its inception through recent updates to ensure a complete historical perspective. Here, security researchers and developers can track vendor advisories to stay informed about emerging threats, understand the characteristics and impact of specific weakness classes like Stored or Reflected XSS, and look up the product's vulnerability history to assess long-term security trends. By organizing these entries chronologically and categorizing them by severity and type, the resource facilitates a deeper analysis of how DOMPurify has evolved to mitigate risks in web applications. Users can explore the technical details of each flaw, including the contexts in which they occur and the remediation strategies recommended by the maintainers. This structured approach helps teams evaluate their current defenses against known attack vectors and apply appropriate patches or configuration changes. The data serves as a critical reference for understanding the security posture of DOMPurify, enabling stakeholders to make informed decisions regarding its usage in their software stacks. Whether investigating a specific incident or conducting a routine security audit, this aggregation provides the necessary context to navigate the complex landscape of web application security vulnerabilities effectively.

Vendor: cure53

CVE IDTitleCVSSSeverityPublished
CVE-2026-49978 DOMPurify IN_PLACE Sanitization Bypass via Attached Shadow Root Inside <template>.content CWE-79--2026-07-14
CVE-2026-49459 DOMPurify: IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM CWE-79 6.1 Medium2026-07-14
CVE-2026-49458 DOMPurify: Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound `instanceof` checks CWE-79 6.1 Medium2026-07-14
CVE-2026-47423 DOMPurify XSS via `selectedcontent` re-clone CWE-79 8.2 High2026-07-14
CVE-2026-41240 DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix) CWE-183 7.2AIHighAI2026-04-23
CVE-2026-41239 DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode CWE-79 6.8 Medium2026-04-23
CVE-2026-41238 DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback CWE-79 6.9 Medium2026-04-23
CVE-2026-0540 DOMPurify XSS via Missing Rawtext Elements in SAFE_FOR_XML CWE-79 6.1 Medium2026-03-03
CVE-2025-15599 DOMPurify XSS via Textarea Rawtext Bypass in SAFE_FOR_XML CWE-79 6.1 Medium2026-03-03
CVE-2025-48050 DOMPurify 安全漏洞 CWE-24 7.5 High2025-05-15
CVE-2025-26791 DOMPurify 安全漏洞 CWE-79 4.5 Medium2025-02-14
CVE-2024-48910 DOMPurify vulnerable to tampering by prototype polution CWE-1321 9.1 Critical2024-10-31
CVE-2024-47875 DOMPurify nesting-based mXSS CWE-79 10.0 Critical2024-10-11
CVE-2024-45801 Tampering by prototype polution in DOMPurify CWE-1333 7.3 High2024-09-16

All 14 known CVE vulnerabilities affecting DOMPurify with full Chinese analysis, references, and POCs where available.