CVE-2026-0540
Received Received - Intake
Cross-Site Scripting in DOMPurify via Incomplete Attribute Sanitization

Publication date: 2026-03-03

Last updated on: 2026-03-25

Assigner: VulnCheck

Description
DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex. Attackers can include payloads like in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-03
Last Modified
2026-03-25
Generated
2026-06-16
AI Q&A
2026-03-03
EPSS Evaluated
2026-06-14
NVD
CVE-2026-0540
EUVD
EUVD-2026-9303
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
cure53 dompurify From 2.5.3 (inc) to 2.5.8 (inc)
cure53 dompurify From 3.1.3 (inc) to 3.3.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

I don't know

Executive Summary

This vulnerability exists in DOMPurify versions 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, where attackers can bypass attribute sanitization due to missing rawtext elements in the SAFE_FOR_XML regular expression. Specifically, five rawtext elements (noscript, xmp, noembed, noframes, iframe) were not properly handled, allowing attackers to inject malicious payloads such as </noscript><img src=x onerror=alert(1)> inside attribute values.

When the sanitized output is placed inside these unprotected rawtext contexts, the injected JavaScript can execute, leading to a cross-site scripting (XSS) vulnerability.

Impact Analysis

This vulnerability can allow attackers to execute arbitrary JavaScript code in the context of a vulnerable web application by injecting malicious scripts through improperly sanitized attributes.

Such cross-site scripting (XSS) attacks can lead to session hijacking, defacement, data theft, or other malicious actions that compromise user security and trust.

Detection Guidance

This vulnerability involves DOMPurify versions 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, where certain rawtext elements are not properly sanitized, allowing cross-site scripting attacks.

To detect if your system is vulnerable, you should first identify if your environment uses one of the affected DOMPurify versions.

You can check the installed DOMPurify version by running commands like:

  • npm list dompurify
  • yarn list dompurify

Additionally, to detect exploitation attempts on your network, you can monitor for suspicious payloads containing rawtext tags such as </noscript><img src=x onerror=alert(1)> in HTTP requests or logs.

For example, using grep on your web server logs to find such patterns:

  • grep -iE '</noscript>|<xmp>|<noembed>|<noframes>|<iframe>' /var/log/nginx/access.log
  • grep -i 'onerror=' /var/log/nginx/access.log
Mitigation Strategies

The primary mitigation step is to update DOMPurify to a version that includes the fix for this vulnerability.

The fix involves an improved regular expression that properly sanitizes rawtext elements such as noscript, xmp, noembed, noframes, and iframe, preventing bypass of attribute sanitization.

Specifically, upgrading to a DOMPurify version that includes the commit 729097f or later will address this issue.

If immediate upgrade is not possible, consider implementing additional input validation or output encoding on your application side to prevent injection of malicious payloads in rawtext contexts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0540. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart