CVE-2025-26791Cross-site Scripting in Dompurify

CWE-79Cross-site Scripting9 documents7 sources
Severity
6.1MEDIUMNVD
CNA4.5
EPSS
0.1%
top 73.54%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Cure53 Dompurify
Timeline
PublishedFeb 14
Latest updateJan 15

Description

DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting (mXSS).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

CVEListV5cure53/dompurify< 3.2.4
NVDcure53/dompurify< 3.2.4
npmcure53/dompurify< 3.2.4

Patches

Patch: github.com

🔴Vulnerability Details

4
CVEList
CVE-2025-26791: DOMPurify before 32025-02-14
OSV
CVE-2025-26791: DOMPurify before 32025-02-14
GHSA
DOMPurify allows Cross-site Scripting (XSS)2025-02-14
OSV
DOMPurify allows Cross-site Scripting (XSS)2025-02-14

📋Vendor Advisories

4
Oracle
Oracle Oracle Construction and Engineering Risk Matrix: Team Member (DOMPurify) — CVE-2025-267912026-01-15
Oracle
Oracle Oracle Communications Applications Risk Matrix: Core (DOMPurify) — CVE-2025-267912025-07-15
Red Hat
dompurify: Mutation XSS in DOMPurify Due to Improper Template Literal Handling2025-02-14
Debian
CVE-2025-26791: node-dompurify - DOMPurify before 3.2.4 has an incorrect template literal regular expression, som...2025
CVE-2025-26791 — Cross-site Scripting in Dompurify | cvebase