Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/dompurify@1.0.7
Typenpm
Namespace
Namedompurify
Version1.0.7
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version2.5.9
Latest_non_vulnerable_version3.4.0
Affected_by_vulnerabilities
0
url VCID-4qke-xfet-xue6
vulnerability_id VCID-4qke-xfet-xue6
summary 
URL Redirection to Untrusted Site ('Open Redirect')
DOMPurify before 1.0.11 allows reverse tabnabbing in demos/hooks-target-blank-demo.html because links lack a 'rel="noopener noreferrer"' attribute.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2019-25155
reference_id
reference_type
scores
0
value 0.00242
scoring_system epss
scoring_elements 0.4753
published_at 2026-04-18T12:55:00Z
1
value 0.00242
scoring_system epss
scoring_elements 0.47417
published_at 2026-04-01T12:55:00Z
2
value 0.00242
scoring_system epss
scoring_elements 0.47451
published_at 2026-04-02T12:55:00Z
3
value 0.00242
scoring_system epss
scoring_elements 0.47473
published_at 2026-04-04T12:55:00Z
4
value 0.00242
scoring_system epss
scoring_elements 0.47422
published_at 2026-04-07T12:55:00Z
5
value 0.00242
scoring_system epss
scoring_elements 0.47477
published_at 2026-04-08T12:55:00Z
6
value 0.00242
scoring_system epss
scoring_elements 0.47474
published_at 2026-04-09T12:55:00Z
7
value 0.00242
scoring_system epss
scoring_elements 0.47496
published_at 2026-04-11T12:55:00Z
8
value 0.00242
scoring_system epss
scoring_elements 0.47471
published_at 2026-04-12T12:55:00Z
9
value 0.00242
scoring_system epss
scoring_elements 0.47478
published_at 2026-04-13T12:55:00Z
10
value 0.00242
scoring_system epss
scoring_elements 0.47537
published_at 2026-04-16T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2019-25155
1
reference_url https://github.com/cure53/DOMPurify
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/cure53/DOMPurify
2
reference_url https://github.com/cure53/DOMPurify/commit/7601c33a57e029cce51d910eda5179a3f1b51c83
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/cure53/DOMPurify/commit/7601c33a57e029cce51d910eda5179a3f1b51c83
3
reference_url https://github.com/cure53/DOMPurify/compare/1.0.10...1.0.11
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-06T18:24:04Z/
url https://github.com/cure53/DOMPurify/compare/1.0.10...1.0.11
4
reference_url https://github.com/cure53/DOMPurify/pull/337
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/cure53/DOMPurify/pull/337
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2019-25155
reference_id CVE-2019-25155
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2019-25155
6
reference_url https://github.com/cure53/DOMPurify/pull/337/files
reference_id files
reference_type
scores
0
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-06T18:24:04Z/
url https://github.com/cure53/DOMPurify/pull/337/files
7
reference_url https://github.com/advisories/GHSA-8hgg-xxm5-3873
reference_id GHSA-8hgg-xxm5-3873
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8hgg-xxm5-3873
fixed_packages
0
url pkg:npm/dompurify@1.0.11
purl pkg:npm/dompurify@1.0.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9517-d2c6-9fhx
1
vulnerability VCID-gmsu-xfke-47bg
2
vulnerability VCID-mebp-4rfu-vqcq
3
vulnerability VCID-prz4-pcsj-gfh2
4
vulnerability VCID-ttsq-pq54-g7fg
5
vulnerability VCID-vbs9-gben-9kgc
6
vulnerability VCID-vzq7-t235-ukd5
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@1.0.11
aliases CVE-2019-25155, GHSA-8hgg-xxm5-3873
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4qke-xfet-xue6
1
url VCID-9517-d2c6-9fhx
vulnerability_id VCID-9517-d2c6-9fhx
summary 
Cross-Site Scripting in dompurify
Versions of `dompurify` prior to 2.0.7 are vulnerable to Cross-Site Scripting (XSS). It is possible to bypass the package sanitization through Mutation XSS, which may allow an attacker to execute arbitrary JavaScript in a victim's browser.


## Recommendation

Upgrade to version 2.0.7 or later.
references
0
reference_url https://github.com/cure53/DOMPurify
reference_id
reference_type
scores
0
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/cure53/DOMPurify
1
reference_url https://github.com/cure53/DOMPurify/releases/tag/2.0.7
reference_id
reference_type
scores
0
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/cure53/DOMPurify/releases/tag/2.0.7
2
reference_url https://www.npmjs.com/advisories/1223
reference_id
reference_type
scores
0
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/advisories/1223
3
reference_url https://github.com/advisories/GHSA-mjjq-c88q-qhr6
reference_id GHSA-mjjq-c88q-qhr6
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mjjq-c88q-qhr6
fixed_packages
0
url pkg:npm/dompurify@2.0.7
purl pkg:npm/dompurify@2.0.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-gmsu-xfke-47bg
1
vulnerability VCID-mebp-4rfu-vqcq
2
vulnerability VCID-prz4-pcsj-gfh2
3
vulnerability VCID-vbs9-gben-9kgc
4
vulnerability VCID-vzq7-t235-ukd5
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@2.0.7
aliases GHSA-mjjq-c88q-qhr6, GMS-2020-711
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9517-d2c6-9fhx
2
url VCID-gmsu-xfke-47bg
vulnerability_id VCID-gmsu-xfke-47bg
summary 
DOMPurify allows tampering by prototype pollution
It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check.

This renders dompurify unable to avoid XSS attack.

Fixed by https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21 (3.x branch) and https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc (2.x branch).
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-45801.json
reference_id
reference_type
scores
0
value 7.0
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-45801.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-45801
reference_id
reference_type
scores
0
value 0.00071
scoring_system epss
scoring_elements 0.21673
published_at 2026-04-18T12:55:00Z
1
value 0.00071
scoring_system epss
scoring_elements 0.21667
published_at 2026-04-16T12:55:00Z
2
value 0.00071
scoring_system epss
scoring_elements 0.21668
published_at 2026-04-13T12:55:00Z
3
value 0.00071
scoring_system epss
scoring_elements 0.21724
published_at 2026-04-12T12:55:00Z
4
value 0.00071
scoring_system epss
scoring_elements 0.21764
published_at 2026-04-11T12:55:00Z
5
value 0.00071
scoring_system epss
scoring_elements 0.21753
published_at 2026-04-09T12:55:00Z
6
value 0.00071
scoring_system epss
scoring_elements 0.21696
published_at 2026-04-08T12:55:00Z
7
value 0.00071
scoring_system epss
scoring_elements 0.2162
published_at 2026-04-07T12:55:00Z
8
value 0.00071
scoring_system epss
scoring_elements 0.21868
published_at 2026-04-04T12:55:00Z
9
value 0.00071
scoring_system epss
scoring_elements 0.21815
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-45801
2
reference_url https://github.com/cure53/DOMPurify
reference_id
reference_type
scores
0
value 7.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L
1
value 8.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/cure53/DOMPurify
3
reference_url https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21
reference_id
reference_type
scores
0
value 7.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L
1
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
2
value 8.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-16T20:04:30Z/
url https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21
4
reference_url https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc
reference_id
reference_type
scores
0
value 7.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L
1
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
2
value 8.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-16T20:04:30Z/
url https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc
5
reference_url https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674
reference_id
reference_type
scores
0
value 7.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L
1
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value 8.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N
4
value HIGH
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-16T20:04:30Z/
url https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-45801
reference_id
reference_type
scores
0
value 7.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L
1
value 8.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-45801
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2312631
reference_id 2312631
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2312631
8
reference_url https://github.com/advisories/GHSA-mmhx-hmjr-r674
reference_id GHSA-mmhx-hmjr-r674
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mmhx-hmjr-r674
9
reference_url https://access.redhat.com/errata/RHSA-2024:11381
reference_id RHSA-2024:11381
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:11381
10
reference_url https://access.redhat.com/errata/RHSA-2024:7324
reference_id RHSA-2024:7324
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:7324
11
reference_url https://access.redhat.com/errata/RHSA-2024:7706
reference_id RHSA-2024:7706
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:7706
12
reference_url https://access.redhat.com/errata/RHSA-2024:8014
reference_id RHSA-2024:8014
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:8014
13
reference_url https://access.redhat.com/errata/RHSA-2025:0892
reference_id RHSA-2025:0892
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:0892
14
reference_url https://access.redhat.com/errata/RHSA-2025:4019
reference_id RHSA-2025:4019
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:4019
fixed_packages
0
url pkg:npm/dompurify@2.5.4
purl pkg:npm/dompurify@2.5.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-mv6v-re2k-g3gn
1
vulnerability VCID-ps3s-bymy-dkbc
2
vulnerability VCID-vzq7-t235-ukd5
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@2.5.4
1
url pkg:npm/dompurify@3.1.3
purl pkg:npm/dompurify@3.1.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-mv6v-re2k-g3gn
1
vulnerability VCID-ps3s-bymy-dkbc
2
vulnerability VCID-vzq7-t235-ukd5
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@3.1.3
aliases CVE-2024-45801, GHSA-mmhx-hmjr-r674
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gmsu-xfke-47bg
3
url VCID-mebp-4rfu-vqcq
vulnerability_id VCID-mebp-4rfu-vqcq
summary 
DOMpurify has a nesting-based mXSS
DOMpurify was vulnerable to nesting-based mXSS 

fixed by [0ef5e537](https://github.com/cure53/DOMPurify/tree/0ef5e537a514f904b6aa1d7ad9e749e365d7185f) (2.x) and
[merge 943](https://github.com/cure53/DOMPurify/pull/943)

Backporter should be aware of GHSA-mmhx-hmjr-r674 (CVE-2024-45801) when cherry-picking

POC is avaible under [test](https://github.com/cure53/DOMPurify/blob/0ef5e537a514f904b6aa1d7ad9e749e365d7185f/test/test-suite.js#L2098)
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47875.json
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47875.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-47875
reference_id
reference_type
scores
0
value 0.00699
scoring_system epss
scoring_elements 0.72026
published_at 2026-04-18T12:55:00Z
1
value 0.00699
scoring_system epss
scoring_elements 0.72019
published_at 2026-04-16T12:55:00Z
2
value 0.00699
scoring_system epss
scoring_elements 0.71978
published_at 2026-04-13T12:55:00Z
3
value 0.00699
scoring_system epss
scoring_elements 0.71993
published_at 2026-04-12T12:55:00Z
4
value 0.00699
scoring_system epss
scoring_elements 0.7201
published_at 2026-04-11T12:55:00Z
5
value 0.00699
scoring_system epss
scoring_elements 0.71939
published_at 2026-04-02T12:55:00Z
6
value 0.00699
scoring_system epss
scoring_elements 0.71935
published_at 2026-04-07T12:55:00Z
7
value 0.00699
scoring_system epss
scoring_elements 0.71959
published_at 2026-04-04T12:55:00Z
8
value 0.00699
scoring_system epss
scoring_elements 0.71986
published_at 2026-04-09T12:55:00Z
9
value 0.00699
scoring_system epss
scoring_elements 0.71974
published_at 2026-04-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-47875
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47875
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47875
3
reference_url http://seclists.org/fulldisclosure/2025/Apr/14
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
1
value 7.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H
2
value HIGH
scoring_system generic_textual
scoring_elements
url http://seclists.org/fulldisclosure/2025/Apr/14
4
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
5
reference_url https://github.com/cure53/DOMPurify
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
1
value 7.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/cure53/DOMPurify
6
reference_url https://github.com/cure53/DOMPurify/blob/0ef5e537a514f904b6aa1d7ad9e749e365d7185f/test/test-suite.js#L2098
reference_id
reference_type
scores
0
value 10
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
1
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
2
value 7.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-11T19:27:35Z/
url https://github.com/cure53/DOMPurify/blob/0ef5e537a514f904b6aa1d7ad9e749e365d7185f/test/test-suite.js#L2098
7
reference_url https://github.com/cure53/DOMPurify/commit/0ef5e537a514f904b6aa1d7ad9e749e365d7185f
reference_id
reference_type
scores
0
value 10
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
1
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
2
value 7.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-11T19:27:35Z/
url https://github.com/cure53/DOMPurify/commit/0ef5e537a514f904b6aa1d7ad9e749e365d7185f
8
reference_url https://github.com/cure53/DOMPurify/commit/6ea80cd8b47640c20f2f230c7920b1f4ce4fdf7a
reference_id
reference_type
scores
0
value 10
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
1
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
2
value 7.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-11T19:27:35Z/
url https://github.com/cure53/DOMPurify/commit/6ea80cd8b47640c20f2f230c7920b1f4ce4fdf7a
9
reference_url https://github.com/cure53/DOMPurify/security/advisories/GHSA-gx9m-whjm-85jf
reference_id
reference_type
scores
0
value 10
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
1
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value 7.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H
4
value HIGH
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-11T19:27:35Z/
url https://github.com/cure53/DOMPurify/security/advisories/GHSA-gx9m-whjm-85jf
10
reference_url https://lists.debian.org/debian-lts-announce/2025/02/msg00010.html
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
1
value 7.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2025/02/msg00010.html
11
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-47875
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
1
value 7.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-47875
12
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084983
reference_id 1084983
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084983
13
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2318052
reference_id 2318052
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2318052
14
reference_url https://github.com/advisories/GHSA-gx9m-whjm-85jf
reference_id GHSA-gx9m-whjm-85jf
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-gx9m-whjm-85jf
15
reference_url https://access.redhat.com/errata/RHSA-2024:10236
reference_id RHSA-2024:10236
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:10236
16
reference_url https://access.redhat.com/errata/RHSA-2024:10988
reference_id RHSA-2024:10988
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:10988
17
reference_url https://access.redhat.com/errata/RHSA-2024:8683
reference_id RHSA-2024:8683
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:8683
18
reference_url https://access.redhat.com/errata/RHSA-2024:8981
reference_id RHSA-2024:8981
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:8981
19
reference_url https://access.redhat.com/errata/RHSA-2024:9473
reference_id RHSA-2024:9473
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:9473
20
reference_url https://access.redhat.com/errata/RHSA-2024:9629
reference_id RHSA-2024:9629
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:9629
21
reference_url https://access.redhat.com/errata/RHSA-2025:0329
reference_id RHSA-2025:0329
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:0329
fixed_packages
0
url pkg:npm/dompurify@2.5.0
purl pkg:npm/dompurify@2.5.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-gmsu-xfke-47bg
1
vulnerability VCID-vzq7-t235-ukd5
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@2.5.0
1
url pkg:npm/dompurify@3.1.3
purl pkg:npm/dompurify@3.1.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-mv6v-re2k-g3gn
1
vulnerability VCID-ps3s-bymy-dkbc
2
vulnerability VCID-vzq7-t235-ukd5
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@3.1.3
aliases CVE-2024-47875, GHSA-gx9m-whjm-85jf
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-mebp-4rfu-vqcq
4
url VCID-prz4-pcsj-gfh2
vulnerability_id VCID-prz4-pcsj-gfh2
summary 
Cross-site Scripting in dompurify
Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-26870
reference_id
reference_type
scores
0
value 0.00417
scoring_system epss
scoring_elements 0.6161
published_at 2026-04-01T12:55:00Z
1
value 0.00417
scoring_system epss
scoring_elements 0.61714
published_at 2026-04-04T12:55:00Z
2
value 0.00417
scoring_system epss
scoring_elements 0.61684
published_at 2026-04-02T12:55:00Z
3
value 0.00417
scoring_system epss
scoring_elements 0.61786
published_at 2026-04-18T12:55:00Z
4
value 0.00417
scoring_system epss
scoring_elements 0.61781
published_at 2026-04-16T12:55:00Z
5
value 0.00417
scoring_system epss
scoring_elements 0.61739
published_at 2026-04-13T12:55:00Z
6
value 0.00417
scoring_system epss
scoring_elements 0.61759
published_at 2026-04-12T12:55:00Z
7
value 0.00417
scoring_system epss
scoring_elements 0.61771
published_at 2026-04-11T12:55:00Z
8
value 0.00417
scoring_system epss
scoring_elements 0.6175
published_at 2026-04-09T12:55:00Z
9
value 0.00417
scoring_system epss
scoring_elements 0.61734
published_at 2026-04-08T12:55:00Z
10
value 0.00417
scoring_system epss
scoring_elements 0.61686
published_at 2026-04-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-26870
1
reference_url https://github.com/cure53/DOMPurify
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/cure53/DOMPurify
2
reference_url https://github.com/cure53/DOMPurify/commit/02724b8eb048dd219d6725b05c3000936f11d62d
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/cure53/DOMPurify/commit/02724b8eb048dd219d6725b05c3000936f11d62d
3
reference_url https://github.com/cure53/DOMPurify/compare/2.0.16...2.0.17
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/cure53/DOMPurify/compare/2.0.16...2.0.17
4
reference_url https://lists.debian.org/debian-lts-announce/2020/10/msg00029.html
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2020/10/msg00029.html
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-26870
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-26870
6
reference_url https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-26870
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-26870
7
reference_url https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass
8
reference_url https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass/
reference_id
reference_type
scores
url https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass/
9
reference_url https://snyk.io/vuln/SNYK-JS-DOMPURIFY-1016634
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://snyk.io/vuln/SNYK-JS-DOMPURIFY-1016634
10
reference_url https://www.oracle.com//security-alerts/cpujul2021.html
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.oracle.com//security-alerts/cpujul2021.html
11
reference_url https://github.com/advisories/GHSA-63q7-h895-m982
reference_id GHSA-63q7-h895-m982
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-63q7-h895-m982
fixed_packages
0
url pkg:npm/dompurify@2.0.17
purl pkg:npm/dompurify@2.0.17
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-gmsu-xfke-47bg
1
vulnerability VCID-mebp-4rfu-vqcq
2
vulnerability VCID-vbs9-gben-9kgc
3
vulnerability VCID-vzq7-t235-ukd5
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@2.0.17
aliases CVE-2020-26870, GHSA-63q7-h895-m982
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-prz4-pcsj-gfh2
5
url VCID-ttsq-pq54-g7fg
vulnerability_id VCID-ttsq-pq54-g7fg
summary 
Cross-Site Scripting in dompurify
Versions of `dompurify` prior to 2.0.3 are vulnerable to Cross-Site Scripting (XSS). The package has an XSS filter bypass due to Mutation XSS in both Chrome and Safari through a combination of `<svg>`/`<math>` elements and `</p>`/`</br>`. An example payload is: `<svg></p><style><a id="</style><img src=1 onerror=alert(1)>">`. This allows attackers to bypass the XSS protection and execute arbitrary JavaScript in a victim's browser.


## Recommendation

Upgrade to version 2.0.3 or later. You may also disallow `<svg>` and `<math>` through `dompurify` configurations:
```DOMPurify.sanitize(input, {
     FORBID_TAGS: ['svg', 'math']
 });```
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2019-16728
reference_id
reference_type
scores
0
value 0.00962
scoring_system epss
scoring_elements 0.76448
published_at 2026-04-02T12:55:00Z
1
value 0.00962
scoring_system epss
scoring_elements 0.76546
published_at 2026-04-18T12:55:00Z
2
value 0.00962
scoring_system epss
scoring_elements 0.76542
published_at 2026-04-16T12:55:00Z
3
value 0.00962
scoring_system epss
scoring_elements 0.76501
published_at 2026-04-13T12:55:00Z
4
value 0.00962
scoring_system epss
scoring_elements 0.76507
published_at 2026-04-12T12:55:00Z
5
value 0.00962
scoring_system epss
scoring_elements 0.76528
published_at 2026-04-11T12:55:00Z
6
value 0.00962
scoring_system epss
scoring_elements 0.76502
published_at 2026-04-09T12:55:00Z
7
value 0.00962
scoring_system epss
scoring_elements 0.76491
published_at 2026-04-08T12:55:00Z
8
value 0.00962
scoring_system epss
scoring_elements 0.76477
published_at 2026-04-04T12:55:00Z
9
value 0.00962
scoring_system epss
scoring_elements 0.76444
published_at 2026-04-01T12:55:00Z
10
value 0.00962
scoring_system epss
scoring_elements 0.76459
published_at 2026-04-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2019-16728
1
reference_url https://lists.debian.org/debian-lts-announce/2020/10/msg00029.html
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2020/10/msg00029.html
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2019-16728
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv2
scoring_elements AV:N/AC:M/Au:N/C:N/I:P/A:N
1
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2019-16728
3
reference_url https://research.securitum.com/dompurify-bypass-using-mxss
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://research.securitum.com/dompurify-bypass-using-mxss
4
reference_url https://research.securitum.com/dompurify-bypass-using-mxss/
reference_id
reference_type
scores
url https://research.securitum.com/dompurify-bypass-using-mxss/
5
reference_url https://www.npmjs.com/advisories/1205
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/advisories/1205
6
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:cure53:dompurify:*:*:*:*:*:*:*:*
reference_id cpe:2.3:a:cure53:dompurify:*:*:*:*:*:*:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:cure53:dompurify:*:*:*:*:*:*:*:*
7
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
reference_id cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
8
reference_url https://github.com/advisories/GHSA-chqj-j4fh-rw7m
reference_id GHSA-chqj-j4fh-rw7m
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-chqj-j4fh-rw7m
fixed_packages
0
url pkg:npm/dompurify@2.0.1
purl pkg:npm/dompurify@2.0.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9517-d2c6-9fhx
1
vulnerability VCID-gmsu-xfke-47bg
2
vulnerability VCID-mebp-4rfu-vqcq
3
vulnerability VCID-prz4-pcsj-gfh2
4
vulnerability VCID-vbs9-gben-9kgc
5
vulnerability VCID-vzq7-t235-ukd5
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@2.0.1
1
url pkg:npm/dompurify@2.0.3
purl pkg:npm/dompurify@2.0.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9517-d2c6-9fhx
1
vulnerability VCID-gmsu-xfke-47bg
2
vulnerability VCID-mebp-4rfu-vqcq
3
vulnerability VCID-prz4-pcsj-gfh2
4
vulnerability VCID-vbs9-gben-9kgc
5
vulnerability VCID-vzq7-t235-ukd5
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@2.0.3
aliases CVE-2019-16728, GHSA-chqj-j4fh-rw7m
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ttsq-pq54-g7fg
6
url VCID-vbs9-gben-9kgc
vulnerability_id VCID-vbs9-gben-9kgc
summary 
DOMPurify vulnerable to tampering by prototype polution
dompurify was vulnerable to prototype pollution

Fixed by https://github.com/cure53/DOMPurify/commit/d1dd0374caef2b4c56c3bd09fe1988c3479166dc
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-48910.json
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-48910.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-48910
reference_id
reference_type
scores
0
value 0.02592
scoring_system epss
scoring_elements 0.85619
published_at 2026-04-18T12:55:00Z
1
value 0.02592
scoring_system epss
scoring_elements 0.85547
published_at 2026-04-04T12:55:00Z
2
value 0.02592
scoring_system epss
scoring_elements 0.85553
published_at 2026-04-07T12:55:00Z
3
value 0.02592
scoring_system epss
scoring_elements 0.85573
published_at 2026-04-08T12:55:00Z
4
value 0.02592
scoring_system epss
scoring_elements 0.85583
published_at 2026-04-09T12:55:00Z
5
value 0.02592
scoring_system epss
scoring_elements 0.85597
published_at 2026-04-11T12:55:00Z
6
value 0.02592
scoring_system epss
scoring_elements 0.85594
published_at 2026-04-12T12:55:00Z
7
value 0.02592
scoring_system epss
scoring_elements 0.8559
published_at 2026-04-13T12:55:00Z
8
value 0.02592
scoring_system epss
scoring_elements 0.85613
published_at 2026-04-16T12:55:00Z
9
value 0.02808
scoring_system epss
scoring_elements 0.86074
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-48910
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-48910
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-48910
3
reference_url https://github.com/cure53/DOMPurify
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/cure53/DOMPurify
4
reference_url https://github.com/cure53/DOMPurify/commit/d1dd0374caef2b4c56c3bd09fe1988c3479166dc
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-31T15:52:58Z/
url https://github.com/cure53/DOMPurify/commit/d1dd0374caef2b4c56c3bd09fe1988c3479166dc
5
reference_url https://github.com/cure53/DOMPurify/security/advisories/GHSA-p3vf-v8qc-cwcr
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
3
value CRITICAL
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-31T15:52:58Z/
url https://github.com/cure53/DOMPurify/security/advisories/GHSA-p3vf-v8qc-cwcr
6
reference_url https://lists.debian.org/debian-lts-announce/2025/02/msg00010.html
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2025/02/msg00010.html
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-48910
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-48910
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2322949
reference_id 2322949
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2322949
9
reference_url https://github.com/advisories/GHSA-p3vf-v8qc-cwcr
reference_id GHSA-p3vf-v8qc-cwcr
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-p3vf-v8qc-cwcr
10
reference_url https://access.redhat.com/errata/RHSA-2024:10186
reference_id RHSA-2024:10186
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:10186
11
reference_url https://access.redhat.com/errata/RHSA-2024:9583
reference_id RHSA-2024:9583
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:9583
12
reference_url https://access.redhat.com/errata/RHSA-2025:0079
reference_id RHSA-2025:0079
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:0079
13
reference_url https://access.redhat.com/errata/RHSA-2025:0082
reference_id RHSA-2025:0082
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:0082
14
reference_url https://access.redhat.com/errata/RHSA-2025:0654
reference_id RHSA-2025:0654
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:0654
15
reference_url https://access.redhat.com/errata/RHSA-2025:0875
reference_id RHSA-2025:0875
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:0875
16
reference_url https://access.redhat.com/errata/RHSA-2025:18233
reference_id RHSA-2025:18233
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:18233
17
reference_url https://access.redhat.com/errata/RHSA-2025:19003
reference_id RHSA-2025:19003
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19003
18
reference_url https://access.redhat.com/errata/RHSA-2025:19017
reference_id RHSA-2025:19017
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19017
19
reference_url https://access.redhat.com/errata/RHSA-2025:19047
reference_id RHSA-2025:19047
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19047
20
reference_url https://access.redhat.com/errata/RHSA-2025:19306
reference_id RHSA-2025:19306
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19306
21
reference_url https://access.redhat.com/errata/RHSA-2025:19314
reference_id RHSA-2025:19314
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19314
22
reference_url https://access.redhat.com/errata/RHSA-2025:19895
reference_id RHSA-2025:19895
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19895
23
reference_url https://access.redhat.com/errata/RHSA-2025:22284
reference_id RHSA-2025:22284
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:22284
fixed_packages
0
url pkg:npm/dompurify@2.4.2
purl pkg:npm/dompurify@2.4.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-gmsu-xfke-47bg
1
vulnerability VCID-mebp-4rfu-vqcq
2
vulnerability VCID-vzq7-t235-ukd5
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@2.4.2
aliases CVE-2024-48910, GHSA-p3vf-v8qc-cwcr
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vbs9-gben-9kgc
7
url VCID-vzq7-t235-ukd5
vulnerability_id VCID-vzq7-t235-ukd5
summary 
DOMPurify allows Cross-site Scripting (XSS)
DOMPurify before 3.2.4 has an incorrect template literal regular expression when SAFE_FOR_TEMPLATES is set to true, sometimes leading to mutation cross-site scripting (mXSS).
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-26791.json
reference_id
reference_type
scores
0
value 4.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-26791.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-26791
reference_id
reference_type
scores
0
value 0.00095
scoring_system epss
scoring_elements 0.26497
published_at 2026-04-08T12:55:00Z
1
value 0.00095
scoring_system epss
scoring_elements 0.26455
published_at 2026-04-16T12:55:00Z
2
value 0.00095
scoring_system epss
scoring_elements 0.26449
published_at 2026-04-13T12:55:00Z
3
value 0.00095
scoring_system epss
scoring_elements 0.26506
published_at 2026-04-12T12:55:00Z
4
value 0.00095
scoring_system epss
scoring_elements 0.26427
published_at 2026-04-07T12:55:00Z
5
value 0.00095
scoring_system epss
scoring_elements 0.26426
published_at 2026-04-18T12:55:00Z
6
value 0.00095
scoring_system epss
scoring_elements 0.26546
published_at 2026-04-09T12:55:00Z
7
value 0.00095
scoring_system epss
scoring_elements 0.26552
published_at 2026-04-11T12:55:00Z
8
value 0.00166
scoring_system epss
scoring_elements 0.37771
published_at 2026-04-02T12:55:00Z
9
value 0.00166
scoring_system epss
scoring_elements 0.37796
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-26791
2
reference_url https://ensy.zip/posts/dompurify-323-bypass
reference_id
reference_type
scores
0
value 4.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://ensy.zip/posts/dompurify-323-bypass
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/cure53/DOMPurify
reference_id
reference_type
scores
0
value 4.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/cure53/DOMPurify
5
reference_url https://github.com/cure53/DOMPurify/commit/d18ffcb554e0001748865da03ac75dd7829f0f02
reference_id
reference_type
scores
0
value 4.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-14T15:30:30Z/
url https://github.com/cure53/DOMPurify/commit/d18ffcb554e0001748865da03ac75dd7829f0f02
6
reference_url https://github.com/cure53/DOMPurify/releases/tag/3.2.4
reference_id
reference_type
scores
0
value 4.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-14T15:30:30Z/
url https://github.com/cure53/DOMPurify/releases/tag/3.2.4
7
reference_url https://nsysean.github.io/posts/dompurify-323-bypass
reference_id
reference_type
scores
0
value 4.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nsysean.github.io/posts/dompurify-323-bypass
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-26791
reference_id
reference_type
scores
0
value 4.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-26791
9
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098325
reference_id 1098325
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098325
10
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2345695
reference_id 2345695
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2345695
11
reference_url https://ensy.zip/posts/dompurify-323-bypass/
reference_id dompurify-323-bypass
reference_type
scores
0
value 4.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-14T15:30:30Z/
url https://ensy.zip/posts/dompurify-323-bypass/
12
reference_url https://nsysean.github.io/posts/dompurify-323-bypass/
reference_id dompurify-323-bypass
reference_type
scores
0
value 4.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-14T15:30:30Z/
url https://nsysean.github.io/posts/dompurify-323-bypass/
13
reference_url https://github.com/advisories/GHSA-vhxf-7vqr-mrjg
reference_id GHSA-vhxf-7vqr-mrjg
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vhxf-7vqr-mrjg
14
reference_url https://access.redhat.com/errata/RHSA-2025:10020
reference_id RHSA-2025:10020
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:10020
15
reference_url https://access.redhat.com/errata/RHSA-2025:1875
reference_id RHSA-2025:1875
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:1875
16
reference_url https://access.redhat.com/errata/RHSA-2025:2518
reference_id RHSA-2025:2518
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:2518
17
reference_url https://access.redhat.com/errata/RHSA-2025:3368
reference_id RHSA-2025:3368
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:3368
18
reference_url https://access.redhat.com/errata/RHSA-2025:3397
reference_id RHSA-2025:3397
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:3397
19
reference_url https://access.redhat.com/errata/RHSA-2025:3886
reference_id RHSA-2025:3886
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:3886
20
reference_url https://access.redhat.com/errata/RHSA-2025:7626
reference_id RHSA-2025:7626
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:7626
21
reference_url https://access.redhat.com/errata/RHSA-2026:2737
reference_id RHSA-2026:2737
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:2737
22
reference_url https://access.redhat.com/errata/RHSA-2026:3406
reference_id RHSA-2026:3406
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:3406
fixed_packages
0
url pkg:npm/dompurify@3.2.4
purl pkg:npm/dompurify@3.2.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-mv6v-re2k-g3gn
1
vulnerability VCID-ps3s-bymy-dkbc
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@3.2.4
aliases CVE-2025-26791, GHSA-vhxf-7vqr-mrjg
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vzq7-t235-ukd5
Fixing_vulnerabilities
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/dompurify@1.0.7