CVE-2026-0540 — Cross-site Scripting in Dompurify

CWE-79 — Cross-site Scripting8 documents7 sources

Severity

5.3MEDIUMNVD

EPSS

0.0%

top 98.12%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cure53 Dompurify

Timeline

PublishedMar 3

Description

DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex. Attackers can include payloads like in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Affected Packages3 packages

▶npmcure53/dompurify3.1.3 — 3.3.2+1

▶CVEListV5cure53/dompurify3.1.3 — 3.3.1+1

▶NVDcure53/dompurify2.5.3 — 2.5.8+1

🔴Vulnerability Details

OSV

DOMPurify contains a Cross-site Scripting vulnerability↗2026-03-03

▶

GHSA

DOMPurify contains a Cross-site Scripting vulnerability↗2026-03-03

▶

OSV

CVE-2026-0540: DOMPurify 3↗2026-03-03

▶

CVEList

DOMPurify XSS via Missing Rawtext Elements in SAFE_FOR_XML↗2026-03-03

▶

📋Vendor Advisories

Red Hat

DOMPurify: DOMPurify: Cross-site scripting vulnerability↗2026-03-03

▶

Debian

CVE-2026-0540: node-dompurify - DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, ...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-0540 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶