CVE-2026-41238Cross-site Scripting in Dompurify

CWE-79Cross-site ScriptingCWE-1321Prototype PollutionCWE-915Improperly Controlled Modification of Dynamically-Determined Object Attributes4 documents4 sources
Severity
6.9MEDIUMNVD
GHSA6.1
EPSS
0.0%
top 90.36%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
45
Cure53 Dompurify3scale-amp2 System-rhel73scale-amp2 System-rhel8+42 more
Timeline
PublishedApr 23

Description

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions 3.0.1 through 3.3.3 are vulnerable to a prototype pollution-based XSS bypass. When an application uses `DOMPurify.sanitize()` with the default configuration (no `CUSTOM_ELEMENT_HANDLING` option), a prior prototype pollution gadget can inject permissive `tagNameCheck` and `attributeNameCheck` regex values into `Object.prototype`, causing DOMPurify to allow arbitrary custom elements with arbitrary attributes

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:NExploitability: 1.6 | Impact: 4.7

Affected Packages47 packages

npmcure53/dompurify3.0.13.4.0
CVEListV5cure53/dompurify>= 3.0.1, < 3.4.0
Red Hatgrafana/grafana

🔴Vulnerability Details

2
VulDB
cure53 DOMPurify up to 3.3.1 cross site scripting2026-04-22
GHSA
DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback2026-04-22

📋Vendor Advisories

1
Red Hat
DOMPurify: DOMPurify: Cross-Site Scripting bypass via prototype pollution2026-04-23