Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/dompurify@2.5.3
Typenpm
Namespace
Namedompurify
Version2.5.3
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version2.5.9
Latest_non_vulnerable_version3.4.0
Affected_by_vulnerabilities
0
url VCID-gmsu-xfke-47bg
vulnerability_id VCID-gmsu-xfke-47bg
summary 
DOMPurify allows tampering by prototype pollution
It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check.

This renders dompurify unable to avoid XSS attack.

Fixed by https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21 (3.x branch) and https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc (2.x branch).
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-45801.json
reference_id
reference_type
scores
0
value 7.0
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-45801.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-45801
reference_id
reference_type
scores
0
value 0.00071
scoring_system epss
scoring_elements 0.21673
published_at 2026-04-18T12:55:00Z
1
value 0.00071
scoring_system epss
scoring_elements 0.21667
published_at 2026-04-16T12:55:00Z
2
value 0.00071
scoring_system epss
scoring_elements 0.21668
published_at 2026-04-13T12:55:00Z
3
value 0.00071
scoring_system epss
scoring_elements 0.21724
published_at 2026-04-12T12:55:00Z
4
value 0.00071
scoring_system epss
scoring_elements 0.21764
published_at 2026-04-11T12:55:00Z
5
value 0.00071
scoring_system epss
scoring_elements 0.21753
published_at 2026-04-09T12:55:00Z
6
value 0.00071
scoring_system epss
scoring_elements 0.21696
published_at 2026-04-08T12:55:00Z
7
value 0.00071
scoring_system epss
scoring_elements 0.2162
published_at 2026-04-07T12:55:00Z
8
value 0.00071
scoring_system epss
scoring_elements 0.21868
published_at 2026-04-04T12:55:00Z
9
value 0.00071
scoring_system epss
scoring_elements 0.21815
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-45801
2
reference_url https://github.com/cure53/DOMPurify
reference_id
reference_type
scores
0
value 7.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L
1
value 8.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/cure53/DOMPurify
3
reference_url https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21
reference_id
reference_type
scores
0
value 7.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L
1
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
2
value 8.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-16T20:04:30Z/
url https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21
4
reference_url https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc
reference_id
reference_type
scores
0
value 7.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L
1
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
2
value 8.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-16T20:04:30Z/
url https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc
5
reference_url https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674
reference_id
reference_type
scores
0
value 7.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L
1
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value 8.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N
4
value HIGH
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-16T20:04:30Z/
url https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-45801
reference_id
reference_type
scores
0
value 7.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L
1
value 8.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-45801
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2312631
reference_id 2312631
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2312631
8
reference_url https://github.com/advisories/GHSA-mmhx-hmjr-r674
reference_id GHSA-mmhx-hmjr-r674
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mmhx-hmjr-r674
9
reference_url https://access.redhat.com/errata/RHSA-2024:11381
reference_id RHSA-2024:11381
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:11381
10
reference_url https://access.redhat.com/errata/RHSA-2024:7324
reference_id RHSA-2024:7324
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:7324
11
reference_url https://access.redhat.com/errata/RHSA-2024:7706
reference_id RHSA-2024:7706
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:7706
12
reference_url https://access.redhat.com/errata/RHSA-2024:8014
reference_id RHSA-2024:8014
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:8014
13
reference_url https://access.redhat.com/errata/RHSA-2025:0892
reference_id RHSA-2025:0892
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:0892
14
reference_url https://access.redhat.com/errata/RHSA-2025:4019
reference_id RHSA-2025:4019
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:4019
fixed_packages
0
url pkg:npm/dompurify@2.5.4
purl pkg:npm/dompurify@2.5.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-mv6v-re2k-g3gn
1
vulnerability VCID-ps3s-bymy-dkbc
2
vulnerability VCID-vzq7-t235-ukd5
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@2.5.4
1
url pkg:npm/dompurify@3.1.3
purl pkg:npm/dompurify@3.1.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-mv6v-re2k-g3gn
1
vulnerability VCID-ps3s-bymy-dkbc
2
vulnerability VCID-vzq7-t235-ukd5
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@3.1.3
aliases CVE-2024-45801, GHSA-mmhx-hmjr-r674
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gmsu-xfke-47bg
1
url VCID-mv6v-re2k-g3gn
vulnerability_id VCID-mv6v-re2k-g3gn
summary 
DOMPurify contains a Cross-site Scripting vulnerability
DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. Attackers can include closing rawtext tags like </textarea> in attribute values to break out of rawtext contexts and execute JavaScript when sanitized output is placed inside rawtext elements. The 3.x branch was fixed in 3.2.7; the 2.x branch was never patched.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-15599.json
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-15599.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-15599
reference_id
reference_type
scores
0
value 0.00031
scoring_system epss
scoring_elements 0.08911
published_at 2026-04-02T12:55:00Z
1
value 0.00034
scoring_system epss
scoring_elements 0.098
published_at 2026-04-18T12:55:00Z
2
value 0.00034
scoring_system epss
scoring_elements 0.09979
published_at 2026-04-04T12:55:00Z
3
value 0.00034
scoring_system epss
scoring_elements 0.09877
published_at 2026-04-07T12:55:00Z
4
value 0.00034
scoring_system epss
scoring_elements 0.09953
published_at 2026-04-08T12:55:00Z
5
value 0.00034
scoring_system epss
scoring_elements 0.10002
published_at 2026-04-09T12:55:00Z
6
value 0.00034
scoring_system epss
scoring_elements 0.10018
published_at 2026-04-11T12:55:00Z
7
value 0.00034
scoring_system epss
scoring_elements 0.09977
published_at 2026-04-12T12:55:00Z
8
value 0.00034
scoring_system epss
scoring_elements 0.09954
published_at 2026-04-13T12:55:00Z
9
value 0.00034
scoring_system epss
scoring_elements 0.0983
published_at 2026-04-16T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-15599
2
reference_url https://github.com/cure53/DOMPurify
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-03T19:05:27Z/
url https://github.com/cure53/DOMPurify
3
reference_url https://github.com/cure53/DOMPurify/commit/c861f5a83fb8d90800f1680f855fee551161ac2b
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-03T19:05:27Z/
url https://github.com/cure53/DOMPurify/commit/c861f5a83fb8d90800f1680f855fee551161ac2b
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-15599
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-15599
5
reference_url https://www.vulncheck.com/advisories/dompurify-xss-via-textarea-rawtext-bypass-in-safe-for-xml
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-03T19:05:27Z/
url https://www.vulncheck.com/advisories/dompurify-xss-via-textarea-rawtext-bypass-in-safe-for-xml
6
reference_url https://www.vulncheck.com/advisories/dompurify-xss-via-textarea-rawtext-bypass-in-safeforxml
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.vulncheck.com/advisories/dompurify-xss-via-textarea-rawtext-bypass-in-safeforxml
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2444138
reference_id 2444138
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2444138
8
reference_url https://github.com/advisories/GHSA-v8jm-5vwx-cfxm
reference_id GHSA-v8jm-5vwx-cfxm
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-v8jm-5vwx-cfxm
fixed_packages
0
url pkg:npm/dompurify@3.0.0
purl pkg:npm/dompurify@3.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-gmsu-xfke-47bg
1
vulnerability VCID-mebp-4rfu-vqcq
2
vulnerability VCID-vzq7-t235-ukd5
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@3.0.0
1
url pkg:npm/dompurify@3.2.7
purl pkg:npm/dompurify@3.2.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ps3s-bymy-dkbc
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@3.2.7
aliases CVE-2025-15599, GHSA-v8jm-5vwx-cfxm
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-mv6v-re2k-g3gn
2
url VCID-ps3s-bymy-dkbc
vulnerability_id VCID-ps3s-bymy-dkbc
summary 
DOMPurify contains a Cross-site Scripting vulnerability
DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in 2.5.9 and 3.3.2, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the `SAFE_FOR_XML` regex. Attackers can include payloads like `</noscript><img src=x onerror=alert(1)>` in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-0540.json
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-0540.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-0540
reference_id
reference_type
scores
0
value 0.00012
scoring_system epss
scoring_elements 0.01461
published_at 2026-04-02T12:55:00Z
1
value 0.00013
scoring_system epss
scoring_elements 0.01877
published_at 2026-04-16T12:55:00Z
2
value 0.00013
scoring_system epss
scoring_elements 0.01897
published_at 2026-04-13T12:55:00Z
3
value 0.00013
scoring_system epss
scoring_elements 0.01902
published_at 2026-04-12T12:55:00Z
4
value 0.00013
scoring_system epss
scoring_elements 0.01917
published_at 2026-04-11T12:55:00Z
5
value 0.00013
scoring_system epss
scoring_elements 0.01876
published_at 2026-04-18T12:55:00Z
6
value 0.00013
scoring_system epss
scoring_elements 0.01933
published_at 2026-04-09T12:55:00Z
7
value 0.00013
scoring_system epss
scoring_elements 0.01919
published_at 2026-04-08T12:55:00Z
8
value 0.00013
scoring_system epss
scoring_elements 0.01918
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-0540
2
reference_url https://fluidattacks.com/advisories/daft
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-03T19:01:28Z/
url https://fluidattacks.com/advisories/daft
3
reference_url https://github.com/cure53/DOMPurify
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-03T19:01:28Z/
url https://github.com/cure53/DOMPurify
4
reference_url https://github.com/cure53/DOMPurify/commit/302b51de22535cc90235472c52e3401bedd46f80
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-03T19:01:28Z/
url https://github.com/cure53/DOMPurify/commit/302b51de22535cc90235472c52e3401bedd46f80
5
reference_url https://github.com/cure53/DOMPurify/commit/fca0a938b4261ddc9c0293a289935a9029c049f5
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/cure53/DOMPurify/commit/fca0a938b4261ddc9c0293a289935a9029c049f5
6
reference_url https://github.com/cure53/DOMPurify/releases/tag/3.3.2
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-03T19:01:28Z/
url https://github.com/cure53/DOMPurify/releases/tag/3.3.2
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-0540
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-0540
8
reference_url https://www.vulncheck.com/advisories/dompurify-xss-via-missing-rawtext-elements-in-safe-for-xml
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-03T19:01:28Z/
url https://www.vulncheck.com/advisories/dompurify-xss-via-missing-rawtext-elements-in-safe-for-xml
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2444135
reference_id 2444135
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2444135
10
reference_url https://github.com/advisories/GHSA-v2wj-7wpq-c8vv
reference_id GHSA-v2wj-7wpq-c8vv
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-v2wj-7wpq-c8vv
fixed_packages
0
url pkg:npm/dompurify@2.5.9
purl pkg:npm/dompurify@2.5.9
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@2.5.9
1
url pkg:npm/dompurify@3.0.0
purl pkg:npm/dompurify@3.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-gmsu-xfke-47bg
1
vulnerability VCID-mebp-4rfu-vqcq
2
vulnerability VCID-vzq7-t235-ukd5
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@3.0.0
2
url pkg:npm/dompurify@3.3.2
purl pkg:npm/dompurify@3.3.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@3.3.2
aliases CVE-2026-0540, GHSA-v2wj-7wpq-c8vv
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ps3s-bymy-dkbc
3
url VCID-vzq7-t235-ukd5
vulnerability_id VCID-vzq7-t235-ukd5
summary 
DOMPurify allows Cross-site Scripting (XSS)
DOMPurify before 3.2.4 has an incorrect template literal regular expression when SAFE_FOR_TEMPLATES is set to true, sometimes leading to mutation cross-site scripting (mXSS).
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-26791.json
reference_id
reference_type
scores
0
value 4.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-26791.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-26791
reference_id
reference_type
scores
0
value 0.00095
scoring_system epss
scoring_elements 0.26497
published_at 2026-04-08T12:55:00Z
1
value 0.00095
scoring_system epss
scoring_elements 0.26455
published_at 2026-04-16T12:55:00Z
2
value 0.00095
scoring_system epss
scoring_elements 0.26449
published_at 2026-04-13T12:55:00Z
3
value 0.00095
scoring_system epss
scoring_elements 0.26506
published_at 2026-04-12T12:55:00Z
4
value 0.00095
scoring_system epss
scoring_elements 0.26427
published_at 2026-04-07T12:55:00Z
5
value 0.00095
scoring_system epss
scoring_elements 0.26426
published_at 2026-04-18T12:55:00Z
6
value 0.00095
scoring_system epss
scoring_elements 0.26546
published_at 2026-04-09T12:55:00Z
7
value 0.00095
scoring_system epss
scoring_elements 0.26552
published_at 2026-04-11T12:55:00Z
8
value 0.00166
scoring_system epss
scoring_elements 0.37771
published_at 2026-04-02T12:55:00Z
9
value 0.00166
scoring_system epss
scoring_elements 0.37796
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-26791
2
reference_url https://ensy.zip/posts/dompurify-323-bypass
reference_id
reference_type
scores
0
value 4.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://ensy.zip/posts/dompurify-323-bypass
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/cure53/DOMPurify
reference_id
reference_type
scores
0
value 4.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/cure53/DOMPurify
5
reference_url https://github.com/cure53/DOMPurify/commit/d18ffcb554e0001748865da03ac75dd7829f0f02
reference_id
reference_type
scores
0
value 4.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-14T15:30:30Z/
url https://github.com/cure53/DOMPurify/commit/d18ffcb554e0001748865da03ac75dd7829f0f02
6
reference_url https://github.com/cure53/DOMPurify/releases/tag/3.2.4
reference_id
reference_type
scores
0
value 4.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-14T15:30:30Z/
url https://github.com/cure53/DOMPurify/releases/tag/3.2.4
7
reference_url https://nsysean.github.io/posts/dompurify-323-bypass
reference_id
reference_type
scores
0
value 4.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nsysean.github.io/posts/dompurify-323-bypass
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-26791
reference_id
reference_type
scores
0
value 4.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-26791
9
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098325
reference_id 1098325
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098325
10
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2345695
reference_id 2345695
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2345695
11
reference_url https://ensy.zip/posts/dompurify-323-bypass/
reference_id dompurify-323-bypass
reference_type
scores
0
value 4.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-14T15:30:30Z/
url https://ensy.zip/posts/dompurify-323-bypass/
12
reference_url https://nsysean.github.io/posts/dompurify-323-bypass/
reference_id dompurify-323-bypass
reference_type
scores
0
value 4.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-14T15:30:30Z/
url https://nsysean.github.io/posts/dompurify-323-bypass/
13
reference_url https://github.com/advisories/GHSA-vhxf-7vqr-mrjg
reference_id GHSA-vhxf-7vqr-mrjg
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vhxf-7vqr-mrjg
14
reference_url https://access.redhat.com/errata/RHSA-2025:10020
reference_id RHSA-2025:10020
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:10020
15
reference_url https://access.redhat.com/errata/RHSA-2025:1875
reference_id RHSA-2025:1875
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:1875
16
reference_url https://access.redhat.com/errata/RHSA-2025:2518
reference_id RHSA-2025:2518
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:2518
17
reference_url https://access.redhat.com/errata/RHSA-2025:3368
reference_id RHSA-2025:3368
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:3368
18
reference_url https://access.redhat.com/errata/RHSA-2025:3397
reference_id RHSA-2025:3397
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:3397
19
reference_url https://access.redhat.com/errata/RHSA-2025:3886
reference_id RHSA-2025:3886
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:3886
20
reference_url https://access.redhat.com/errata/RHSA-2025:7626
reference_id RHSA-2025:7626
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:7626
21
reference_url https://access.redhat.com/errata/RHSA-2026:2737
reference_id RHSA-2026:2737
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:2737
22
reference_url https://access.redhat.com/errata/RHSA-2026:3406
reference_id RHSA-2026:3406
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:3406
fixed_packages
0
url pkg:npm/dompurify@3.2.4
purl pkg:npm/dompurify@3.2.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-mv6v-re2k-g3gn
1
vulnerability VCID-ps3s-bymy-dkbc
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@3.2.4
aliases CVE-2025-26791, GHSA-vhxf-7vqr-mrjg
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vzq7-t235-ukd5
Fixing_vulnerabilities
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/dompurify@2.5.3