CVE-2026-0540
Cross-Site Scripting in DOMPurify via Incomplete Attribute Sanitization
Publication date: 2026-03-03
Last updated on: 2026-03-25
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cure53 | dompurify | From 2.5.3 (inc) to 2.5.8 (inc) |
| cure53 | dompurify | From 3.1.3 (inc) to 3.3.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in DOMPurify versions 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, where attackers can bypass attribute sanitization due to missing rawtext elements in the SAFE_FOR_XML regular expression. Specifically, five rawtext elements (noscript, xmp, noembed, noframes, iframe) were not properly handled, allowing attackers to inject malicious payloads such as </noscript><img src=x onerror=alert(1)> inside attribute values.
When the sanitized output is placed inside these unprotected rawtext contexts, the injected JavaScript can execute, leading to a cross-site scripting (XSS) vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute arbitrary JavaScript code in the context of a vulnerable web application by injecting malicious scripts through improperly sanitized attributes.
Such cross-site scripting (XSS) attacks can lead to session hijacking, defacement, data theft, or other malicious actions that compromise user security and trust.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves DOMPurify versions 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, where certain rawtext elements are not properly sanitized, allowing cross-site scripting attacks.
To detect if your system is vulnerable, you should first identify if your environment uses one of the affected DOMPurify versions.
You can check the installed DOMPurify version by running commands like:
- npm list dompurify
- yarn list dompurify
Additionally, to detect exploitation attempts on your network, you can monitor for suspicious payloads containing rawtext tags such as </noscript><img src=x onerror=alert(1)> in HTTP requests or logs.
For example, using grep on your web server logs to find such patterns:
- grep -iE '</noscript>|<xmp>|<noembed>|<noframes>|<iframe>' /var/log/nginx/access.log
- grep -i 'onerror=' /var/log/nginx/access.log
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update DOMPurify to a version that includes the fix for this vulnerability.
The fix involves an improved regular expression that properly sanitizes rawtext elements such as noscript, xmp, noembed, noframes, and iframe, preventing bypass of attribute sanitization.
Specifically, upgrading to a DOMPurify version that includes the commit 729097f or later will address this issue.
If immediate upgrade is not possible, consider implementing additional input validation or output encoding on your application side to prevent injection of malicious payloads in rawtext contexts.