VulnerableCode Package Details - pkg:deb/debian/node-dompurify@3.4.5%2Bdfsg-1

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-3fxk-2qcb-jfa3	DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions prior to 3.4.0 have an inconsistency between FORBID_TAGS and FORBID_ATTR handling when function-based ADD_TAGS is used. Commit c361baa added an early exit for FORBID_ATTR at line 1214. The same fix was not applied to FORBID_TAGS. At line 1118-1123, when EXTRA_ELEMENT_HANDLING.tagCheck returns true, the short-circuit evaluation skips the FORBID_TAGS check entirely. This allows forbidden elements to survive sanitization with their attributes intact. Version 3.4.0 patches the issue.	CVE-2026-41240 GHSA-h7mw-gpvr-xq4m
VCID-5b1v-85es-t3fb	In DOMPurify through 3.2.5 before 6bc6d60, scripts/server.js does not ensure that a pathname is located under the current working directory. NOTE: the Supplier disputes the significance of this report because the "Uncontrolled data used in path expression" occurs "in a development helper script which starts a local web server if needed and must be manually started."	CVE-2025-48050
VCID-8d4n-d1dh-4fe9	DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions 3.0.1 through 3.3.3 are vulnerable to a prototype pollution-based XSS bypass. When an application uses `DOMPurify.sanitize()` with the default configuration (no `CUSTOM_ELEMENT_HANDLING` option), a prior prototype pollution gadget can inject permissive `tagNameCheck` and `attributeNameCheck` regex values into `Object.prototype`, causing DOMPurify to allow arbitrary custom elements with arbitrary attributes — including event handlers — through sanitization. Version 3.4.0 fixes the issue.	CVE-2026-41238 GHSA-v9jr-rg53-9pgp
VCID-cmrb-k5pw-vffn	DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Starting in version 1.0.10 and prior to version 3.4.0, `SAFE_FOR_TEMPLATES` strips `{{...}}` expressions from untrusted HTML. This works in string mode but not with `RETURN_DOM` or `RETURN_DOM_FRAGMENT`, allowing XSS via template-evaluating frameworks like Vue 2. Version 3.4.0 patches the issue.	CVE-2026-41239 GHSA-crv5-9vww-q3g8
VCID-cv62-a95x-9uhe	DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex. Attackers can include payloads like </noscript><img src=x onerror=alert(1)> in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.	CVE-2026-0540 GHSA-v2wj-7wpq-c8vv
VCID-r6b8-q386-3ken	DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. Attackers can include closing rawtext tags like </textarea> in attribute values to break out of rawtext contexts and execute JavaScript when sanitized output is placed inside rawtext elements. The 3.x branch was fixed in 3.2.7; the 2.x branch was never patched.	CVE-2025-15599 GHSA-v8jm-5vwx-cfxm

Vulnerability

Summary

Aliases

VCID-3fxk-2qcb-jfa3

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions prior to 3.4.0 have an inconsistency between FORBID_TAGS and FORBID_ATTR handling when function-based ADD_TAGS is used. Commit c361baa added an early exit for FORBID_ATTR at line 1214. The same fix was not applied to FORBID_TAGS. At line 1118-1123, when EXTRA_ELEMENT_HANDLING.tagCheck returns true, the short-circuit evaluation skips the FORBID_TAGS check entirely. This allows forbidden elements to survive sanitization with their attributes intact. Version 3.4.0 patches the issue.

CVE-2026-41240
GHSA-h7mw-gpvr-xq4m

VCID-5b1v-85es-t3fb

In DOMPurify through 3.2.5 before 6bc6d60, scripts/server.js does not ensure that a pathname is located under the current working directory. NOTE: the Supplier disputes the significance of this report because the "Uncontrolled data used in path expression" occurs "in a development helper script which starts a local web server if needed and must be manually started."

CVE-2025-48050

VCID-8d4n-d1dh-4fe9

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions 3.0.1 through 3.3.3 are vulnerable to a prototype pollution-based XSS bypass. When an application uses `DOMPurify.sanitize()` with the default configuration (no `CUSTOM_ELEMENT_HANDLING` option), a prior prototype pollution gadget can inject permissive `tagNameCheck` and `attributeNameCheck` regex values into `Object.prototype`, causing DOMPurify to allow arbitrary custom elements with arbitrary attributes — including event handlers — through sanitization. Version 3.4.0 fixes the issue.

CVE-2026-41238
GHSA-v9jr-rg53-9pgp

VCID-cmrb-k5pw-vffn

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Starting in version 1.0.10 and prior to version 3.4.0, `SAFE_FOR_TEMPLATES` strips `{{...}}` expressions from untrusted HTML. This works in string mode but not with `RETURN_DOM` or `RETURN_DOM_FRAGMENT`, allowing XSS via template-evaluating frameworks like Vue 2. Version 3.4.0 patches the issue.

CVE-2026-41239
GHSA-crv5-9vww-q3g8

VCID-cv62-a95x-9uhe

DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex. Attackers can include payloads like </noscript><img src=x onerror=alert(1)> in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.

CVE-2026-0540
GHSA-v2wj-7wpq-c8vv

VCID-r6b8-q386-3ken

DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. Attackers can include closing rawtext tags like </textarea> in attribute values to break out of rawtext contexts and execute JavaScript when sanitized output is placed inside rawtext elements. The 3.x branch was fixed in 3.2.7; the 2.x branch was never patched.

CVE-2025-15599
GHSA-v8jm-5vwx-cfxm

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-13T01:57:29.882809+00:00	Debian Importer	Fixing	VCID-cmrb-k5pw-vffn	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-06-13T01:40:48.329182+00:00	Debian Importer	Fixing	VCID-r6b8-q386-3ken	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-06-13T01:23:39.726249+00:00	Debian Importer	Fixing	VCID-5b1v-85es-t3fb	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-06-13T01:23:21.126072+00:00	Debian Importer	Fixing	VCID-3fxk-2qcb-jfa3	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-06-13T01:10:25.089469+00:00	Debian Importer	Fixing	VCID-8d4n-d1dh-4fe9	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-06-13T01:08:21.858195+00:00	Debian Importer	Fixing	VCID-cv62-a95x-9uhe	https://security-tracker.debian.org/tracker/data/json	38.6.0