VulnerableCode Package Details - pkg:deb/debian/node-dompurify@3.1.7%2Bdfsg%2B~3.0.5-2

Search for packages

Vulnerability	Summary	Fixed by
VCID-mv6v-re2k-g3gn Aliases: CVE-2025-15599 GHSA-v8jm-5vwx-cfxm	DOMPurify contains a Cross-site Scripting vulnerability DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. Attackers can include closing rawtext tags like </textarea> in attribute values to break out of rawtext contexts and execute JavaScript when sanitized output is placed inside rawtext elements. The 3.x branch was fixed in 3.2.7; the 2.x branch was never patched.	3.3.3+dfsg-1 Affected by 0 other vulnerabilities. 3.3.3+dfsg-2 Affected by 0 other vulnerabilities.
VCID-ps3s-bymy-dkbc Aliases: CVE-2026-0540 GHSA-v2wj-7wpq-c8vv	DOMPurify contains a Cross-site Scripting vulnerability DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in 2.5.9 and 3.3.2, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the `SAFE_FOR_XML` regex. Attackers can include payloads like `</noscript><img src=x onerror=alert(1)>` in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.	3.3.3+dfsg-1 Affected by 0 other vulnerabilities. 3.3.3+dfsg-2 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-mv6v-re2k-g3gn
Aliases:
CVE-2025-15599
GHSA-v8jm-5vwx-cfxm

DOMPurify contains a Cross-site Scripting vulnerability DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. Attackers can include closing rawtext tags like </textarea> in attribute values to break out of rawtext contexts and execute JavaScript when sanitized output is placed inside rawtext elements. The 3.x branch was fixed in 3.2.7; the 2.x branch was never patched.

3.3.3+dfsg-1
Affected by 0 other vulnerabilities.

3.3.3+dfsg-2
Affected by 0 other vulnerabilities.

VCID-ps3s-bymy-dkbc
Aliases:
CVE-2026-0540
GHSA-v2wj-7wpq-c8vv

DOMPurify contains a Cross-site Scripting vulnerability DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in 2.5.9 and 3.3.2, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the `SAFE_FOR_XML` regex. Attackers can include payloads like `</noscript><img src=x onerror=alert(1)>` in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.

3.3.3+dfsg-1
Affected by 0 other vulnerabilities.

3.3.3+dfsg-2
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-vzq7-t235-ukd5	DOMPurify allows Cross-site Scripting (XSS) DOMPurify before 3.2.4 has an incorrect template literal regular expression when SAFE_FOR_TEMPLATES is set to true, sometimes leading to mutation cross-site scripting (mXSS).	CVE-2025-26791 GHSA-vhxf-7vqr-mrjg

Vulnerability

Summary

Aliases

VCID-vzq7-t235-ukd5

DOMPurify allows Cross-site Scripting (XSS) DOMPurify before 3.2.4 has an incorrect template literal regular expression when SAFE_FOR_TEMPLATES is set to true, sometimes leading to mutation cross-site scripting (mXSS).

CVE-2025-26791
GHSA-vhxf-7vqr-mrjg

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T11:32:05.228534+00:00	Debian Importer	Affected by	VCID-mv6v-re2k-g3gn	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:18:49.385657+00:00	Debian Importer	Fixing	VCID-vzq7-t235-ukd5	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T08:55:15.161134+00:00	Debian Importer	Affected by	VCID-ps3s-bymy-dkbc	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T07:51:43.792689+00:00	Debian Importer	Affected by	VCID-mv6v-re2k-g3gn	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T06:10:32.772028+00:00	Debian Importer	Fixing	VCID-vzq7-t235-ukd5	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T05:52:27.158969+00:00	Debian Importer	Affected by	VCID-ps3s-bymy-dkbc	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-08T19:32:07.922357+00:00	Debian Importer	Affected by	VCID-ps3s-bymy-dkbc	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-08T19:26:22.197813+00:00	Debian Importer	Affected by	VCID-mv6v-re2k-g3gn	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-08T18:51:09.049756+00:00	Debian Importer	Fixing	VCID-vzq7-t235-ukd5	https://security-tracker.debian.org/tracker/data/json	38.1.0