VulnerableCode Package Details - pkg:deb/debian/node-dompurify@2.4.1%2Bdfsg%2B~2.4.0-2%2Bdeb12u1

Search for packages

Vulnerability	Summary	Fixed by
VCID-mv6v-re2k-g3gn Aliases: CVE-2025-15599 GHSA-v8jm-5vwx-cfxm	DOMPurify contains a Cross-site Scripting vulnerability DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. Attackers can include closing rawtext tags like </textarea> in attribute values to break out of rawtext contexts and execute JavaScript when sanitized output is placed inside rawtext elements. The 3.x branch was fixed in 3.2.7; the 2.x branch was never patched.	3.3.3+dfsg-1 Affected by 0 other vulnerabilities. 3.3.3+dfsg-2 Affected by 0 other vulnerabilities.
VCID-ps3s-bymy-dkbc Aliases: CVE-2026-0540 GHSA-v2wj-7wpq-c8vv	DOMPurify contains a Cross-site Scripting vulnerability DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in 2.5.9 and 3.3.2, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the `SAFE_FOR_XML` regex. Attackers can include payloads like `</noscript><img src=x onerror=alert(1)>` in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.	3.3.3+dfsg-1 Affected by 0 other vulnerabilities. 3.3.3+dfsg-2 Affected by 0 other vulnerabilities.
VCID-vzq7-t235-ukd5 Aliases: CVE-2025-26791 GHSA-vhxf-7vqr-mrjg	DOMPurify allows Cross-site Scripting (XSS) DOMPurify before 3.2.4 has an incorrect template literal regular expression when SAFE_FOR_TEMPLATES is set to true, sometimes leading to mutation cross-site scripting (mXSS).	3.1.7+dfsg+~3.0.5-2 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-mv6v-re2k-g3gn
Aliases:
CVE-2025-15599
GHSA-v8jm-5vwx-cfxm

DOMPurify contains a Cross-site Scripting vulnerability DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. Attackers can include closing rawtext tags like </textarea> in attribute values to break out of rawtext contexts and execute JavaScript when sanitized output is placed inside rawtext elements. The 3.x branch was fixed in 3.2.7; the 2.x branch was never patched.

3.3.3+dfsg-1
Affected by 0 other vulnerabilities.

3.3.3+dfsg-2
Affected by 0 other vulnerabilities.

VCID-ps3s-bymy-dkbc
Aliases:
CVE-2026-0540
GHSA-v2wj-7wpq-c8vv

DOMPurify contains a Cross-site Scripting vulnerability DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in 2.5.9 and 3.3.2, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the `SAFE_FOR_XML` regex. Attackers can include payloads like `</noscript><img src=x onerror=alert(1)>` in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.

3.3.3+dfsg-1
Affected by 0 other vulnerabilities.

3.3.3+dfsg-2
Affected by 0 other vulnerabilities.

VCID-vzq7-t235-ukd5
Aliases:
CVE-2025-26791
GHSA-vhxf-7vqr-mrjg

DOMPurify allows Cross-site Scripting (XSS) DOMPurify before 3.2.4 has an incorrect template literal regular expression when SAFE_FOR_TEMPLATES is set to true, sometimes leading to mutation cross-site scripting (mXSS).

3.1.7+dfsg+~3.0.5-2
Affected by 2 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T11:32:05.224326+00:00	Debian Importer	Affected by	VCID-mv6v-re2k-g3gn	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:18:49.381558+00:00	Debian Importer	Affected by	VCID-vzq7-t235-ukd5	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T08:55:15.157137+00:00	Debian Importer	Affected by	VCID-ps3s-bymy-dkbc	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T07:51:43.788743+00:00	Debian Importer	Affected by	VCID-mv6v-re2k-g3gn	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T06:10:32.767810+00:00	Debian Importer	Affected by	VCID-vzq7-t235-ukd5	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T05:52:27.151918+00:00	Debian Importer	Affected by	VCID-ps3s-bymy-dkbc	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-08T19:32:07.917806+00:00	Debian Importer	Affected by	VCID-ps3s-bymy-dkbc	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-08T19:26:22.195213+00:00	Debian Importer	Affected by	VCID-mv6v-re2k-g3gn	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-08T18:51:09.044576+00:00	Debian Importer	Affected by	VCID-vzq7-t235-ukd5	https://security-tracker.debian.org/tracker/data/json	38.1.0