CVE-2026-40301
Received Received - Intake
CSS Injection in DOMSanitizer SVG Allows Remote Resource Loading

Publication date: 2026-04-17

Last updated on: 2026-04-17

Assigner: GitHub, Inc.

Description
DOMSanitizer is a DOM/SVG/MathML Sanitizer for PHP 7.3+. Prior to version 1.0.10, DOMSanitizer::sanitize() allows <style> elements in SVG content but never inspects their text content. CSS url() references and @import rules pass through unfiltered, causing the browser to issue HTTP requests to attacker-controlled hosts when the sanitized SVG is rendered. Version 1.0.10 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-17
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-04-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40301
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
rhukster dom_sanitizer to 1.0.10 (inc)
rhukster dom_sanitizer to 1.0.10 (exc)
rhukster dom_sanitizer From 1.0.0 (inc) to 1.2.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in DOMSanitizer versions prior to 1.0.10, a sanitizer for DOM/SVG/MathML in PHP 7.3 and above. The sanitize() function allows <style> elements within SVG content but does not inspect their text content. As a result, CSS url() references and @import rules inside these style elements are not filtered, which can cause the browser to make HTTP requests to attacker-controlled hosts when the sanitized SVG is rendered.

Impact Analysis

The vulnerability can lead to unintended HTTP requests from a user's browser to attacker-controlled servers when rendering sanitized SVG content. This can potentially expose user information such as IP addresses or other metadata to attackers. It may also be used as a vector for tracking or other indirect attacks, although it does not directly compromise data integrity or availability.

Mitigation Strategies

To mitigate this vulnerability, upgrade DOMSanitizer to version 1.0.10 or later, as this version fixes the issue by properly inspecting the text content of <style> elements in SVG content.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40301. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart