VulnerableCode Package Details - pkg:deb/debian/node-dompurify@3.3.3%2Bdfsg-2?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-gmsu-xfke-47bg	DOMPurify allows tampering by prototype pollution It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check. This renders dompurify unable to avoid XSS attack. Fixed by https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21 (3.x branch) and https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc (2.x branch).	CVE-2024-45801 GHSA-mmhx-hmjr-r674
VCID-mebp-4rfu-vqcq	DOMpurify has a nesting-based mXSS DOMpurify was vulnerable to nesting-based mXSS fixed by [0ef5e537](https://github.com/cure53/DOMPurify/tree/0ef5e537a514f904b6aa1d7ad9e749e365d7185f) (2.x) and [merge 943](https://github.com/cure53/DOMPurify/pull/943) Backporter should be aware of GHSA-mmhx-hmjr-r674 (CVE-2024-45801) when cherry-picking POC is avaible under [test](https://github.com/cure53/DOMPurify/blob/0ef5e537a514f904b6aa1d7ad9e749e365d7185f/test/test-suite.js#L2098)	CVE-2024-47875 GHSA-gx9m-whjm-85jf
VCID-mv6v-re2k-g3gn	DOMPurify contains a Cross-site Scripting vulnerability DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. Attackers can include closing rawtext tags like </textarea> in attribute values to break out of rawtext contexts and execute JavaScript when sanitized output is placed inside rawtext elements. The 3.x branch was fixed in 3.2.7; the 2.x branch was never patched.	CVE-2025-15599 GHSA-v8jm-5vwx-cfxm
VCID-ps3s-bymy-dkbc	DOMPurify contains a Cross-site Scripting vulnerability DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in 2.5.9 and 3.3.2, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the `SAFE_FOR_XML` regex. Attackers can include payloads like `</noscript><img src=x onerror=alert(1)>` in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.	CVE-2026-0540 GHSA-v2wj-7wpq-c8vv
VCID-vbs9-gben-9kgc	DOMPurify vulnerable to tampering by prototype polution dompurify was vulnerable to prototype pollution Fixed by https://github.com/cure53/DOMPurify/commit/d1dd0374caef2b4c56c3bd09fe1988c3479166dc	CVE-2024-48910 GHSA-p3vf-v8qc-cwcr
VCID-vzq7-t235-ukd5	DOMPurify allows Cross-site Scripting (XSS) DOMPurify before 3.2.4 has an incorrect template literal regular expression when SAFE_FOR_TEMPLATES is set to true, sometimes leading to mutation cross-site scripting (mXSS).	CVE-2025-26791 GHSA-vhxf-7vqr-mrjg

Vulnerability

Summary

Aliases

VCID-gmsu-xfke-47bg

DOMPurify allows tampering by prototype pollution It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check. This renders dompurify unable to avoid XSS attack. Fixed by https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21 (3.x branch) and https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc (2.x branch).

CVE-2024-45801
GHSA-mmhx-hmjr-r674

VCID-mebp-4rfu-vqcq

DOMpurify has a nesting-based mXSS DOMpurify was vulnerable to nesting-based mXSS fixed by [0ef5e537](https://github.com/cure53/DOMPurify/tree/0ef5e537a514f904b6aa1d7ad9e749e365d7185f) (2.x) and [merge 943](https://github.com/cure53/DOMPurify/pull/943) Backporter should be aware of GHSA-mmhx-hmjr-r674 (CVE-2024-45801) when cherry-picking POC is avaible under [test](https://github.com/cure53/DOMPurify/blob/0ef5e537a514f904b6aa1d7ad9e749e365d7185f/test/test-suite.js#L2098)

CVE-2024-47875
GHSA-gx9m-whjm-85jf

VCID-mv6v-re2k-g3gn

DOMPurify contains a Cross-site Scripting vulnerability DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. Attackers can include closing rawtext tags like </textarea> in attribute values to break out of rawtext contexts and execute JavaScript when sanitized output is placed inside rawtext elements. The 3.x branch was fixed in 3.2.7; the 2.x branch was never patched.

CVE-2025-15599
GHSA-v8jm-5vwx-cfxm

VCID-ps3s-bymy-dkbc

DOMPurify contains a Cross-site Scripting vulnerability DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in 2.5.9 and 3.3.2, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the `SAFE_FOR_XML` regex. Attackers can include payloads like `</noscript><img src=x onerror=alert(1)>` in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.

CVE-2026-0540
GHSA-v2wj-7wpq-c8vv

VCID-vbs9-gben-9kgc

DOMPurify vulnerable to tampering by prototype polution dompurify was vulnerable to prototype pollution Fixed by https://github.com/cure53/DOMPurify/commit/d1dd0374caef2b4c56c3bd09fe1988c3479166dc

CVE-2024-48910
GHSA-p3vf-v8qc-cwcr

VCID-vzq7-t235-ukd5

DOMPurify allows Cross-site Scripting (XSS) DOMPurify before 3.2.4 has an incorrect template literal regular expression when SAFE_FOR_TEMPLATES is set to true, sometimes leading to mutation cross-site scripting (mXSS).

CVE-2025-26791
GHSA-vhxf-7vqr-mrjg

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T13:17:42.359580+00:00	Debian Importer	Fixing	VCID-vbs9-gben-9kgc	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T10:50:22.457002+00:00	Debian Importer	Fixing	VCID-gmsu-xfke-47bg	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T10:02:12.268663+00:00	Debian Importer	Fixing	VCID-mebp-4rfu-vqcq	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-12T18:14:43.084188+00:00	Debian Importer	Fixing	VCID-ps3s-bymy-dkbc	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-12T18:14:43.036139+00:00	Debian Importer	Fixing	VCID-vzq7-t235-ukd5	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-12T18:14:42.987857+00:00	Debian Importer	Fixing	VCID-mv6v-re2k-g3gn	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-12T18:14:42.926929+00:00	Debian Importer	Fixing	VCID-vbs9-gben-9kgc	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-12T18:14:42.879788+00:00	Debian Importer	Fixing	VCID-mebp-4rfu-vqcq	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-12T18:14:42.822472+00:00	Debian Importer	Fixing	VCID-gmsu-xfke-47bg	https://security-tracker.debian.org/tracker/data/json	38.3.0