VulnerableCode Package Details - pkg:npm/dompurify@2.5.4

Search for packages

Vulnerability	Summary	Fixed by
VCID-mv6v-re2k-g3gn Aliases: CVE-2025-15599 GHSA-v8jm-5vwx-cfxm	DOMPurify contains a Cross-site Scripting vulnerability DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. Attackers can include closing rawtext tags like </textarea> in attribute values to break out of rawtext contexts and execute JavaScript when sanitized output is placed inside rawtext elements. The 3.x branch was fixed in 3.2.7; the 2.x branch was never patched.	3.0.0 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 3.2.7 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-ps3s-bymy-dkbc Aliases: CVE-2026-0540 GHSA-v2wj-7wpq-c8vv	DOMPurify contains a Cross-site Scripting vulnerability DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in 2.5.9 and 3.3.2, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the `SAFE_FOR_XML` regex. Attackers can include payloads like `</noscript><img src=x onerror=alert(1)>` in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.	2.5.9 Affected by 0 other vulnerabilities. 3.0.0 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 3.3.2 Affected by 0 other vulnerabilities.
VCID-vzq7-t235-ukd5 Aliases: CVE-2025-26791 GHSA-vhxf-7vqr-mrjg	DOMPurify allows Cross-site Scripting (XSS) DOMPurify before 3.2.4 has an incorrect template literal regular expression when SAFE_FOR_TEMPLATES is set to true, sometimes leading to mutation cross-site scripting (mXSS).	3.2.4 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-mv6v-re2k-g3gn
Aliases:
CVE-2025-15599
GHSA-v8jm-5vwx-cfxm

DOMPurify contains a Cross-site Scripting vulnerability DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. Attackers can include closing rawtext tags like </textarea> in attribute values to break out of rawtext contexts and execute JavaScript when sanitized output is placed inside rawtext elements. The 3.x branch was fixed in 3.2.7; the 2.x branch was never patched.

3.0.0
Affected by 3 other vulnerabilities.

3.2.7
Affected by 1 other vulnerability.

VCID-ps3s-bymy-dkbc
Aliases:
CVE-2026-0540
GHSA-v2wj-7wpq-c8vv

DOMPurify contains a Cross-site Scripting vulnerability DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in 2.5.9 and 3.3.2, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the `SAFE_FOR_XML` regex. Attackers can include payloads like `</noscript><img src=x onerror=alert(1)>` in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.

2.5.9
Affected by 0 other vulnerabilities.

3.0.0
Affected by 3 other vulnerabilities.

3.3.2
Affected by 0 other vulnerabilities.

VCID-vzq7-t235-ukd5
Aliases:
CVE-2025-26791
GHSA-vhxf-7vqr-mrjg

DOMPurify allows Cross-site Scripting (XSS) DOMPurify before 3.2.4 has an incorrect template literal regular expression when SAFE_FOR_TEMPLATES is set to true, sometimes leading to mutation cross-site scripting (mXSS).

3.2.4
Affected by 2 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-gmsu-xfke-47bg	DOMPurify allows tampering by prototype pollution It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check. This renders dompurify unable to avoid XSS attack. Fixed by https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21 (3.x branch) and https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc (2.x branch).	CVE-2024-45801 GHSA-mmhx-hmjr-r674

Vulnerability

Summary

Aliases

VCID-gmsu-xfke-47bg

DOMPurify allows tampering by prototype pollution It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check. This renders dompurify unable to avoid XSS attack. Fixed by https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21 (3.x branch) and https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc (2.x branch).

CVE-2024-45801
GHSA-mmhx-hmjr-r674

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-17T00:29:43.232915+00:00	GitLab Importer	Affected by	VCID-mv6v-re2k-g3gn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/dompurify/CVE-2025-15599.yml	38.4.0
2026-04-17T00:29:23.368786+00:00	GitLab Importer	Affected by	VCID-ps3s-bymy-dkbc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/dompurify/CVE-2026-0540.yml	38.4.0
2026-04-16T23:21:03.563186+00:00	GitLab Importer	Affected by	VCID-vzq7-t235-ukd5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/dompurify/CVE-2025-26791.yml	38.4.0
2026-04-16T23:08:03.007313+00:00	GitLab Importer	Fixing	VCID-gmsu-xfke-47bg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/dompurify/CVE-2024-45801.yml	38.4.0
2026-04-12T01:54:26.053387+00:00	GitLab Importer	Affected by	VCID-mv6v-re2k-g3gn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/dompurify/CVE-2025-15599.yml	38.3.0
2026-04-12T01:54:05.950966+00:00	GitLab Importer	Affected by	VCID-ps3s-bymy-dkbc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/dompurify/CVE-2026-0540.yml	38.3.0
2026-04-12T00:40:04.438073+00:00	GitLab Importer	Affected by	VCID-vzq7-t235-ukd5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/dompurify/CVE-2025-26791.yml	38.3.0
2026-04-12T00:26:12.498305+00:00	GitLab Importer	Fixing	VCID-gmsu-xfke-47bg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/dompurify/CVE-2024-45801.yml	38.3.0
2026-04-05T04:21:57.852078+00:00	GitLab Importer	Affected by	VCID-mv6v-re2k-g3gn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/dompurify/CVE-2025-15599.yml	38.1.0
2026-04-05T04:21:39.665835+00:00	GitLab Importer	Affected by	VCID-ps3s-bymy-dkbc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/dompurify/CVE-2026-0540.yml	38.1.0
2026-04-03T00:48:00.111471+00:00	GitLab Importer	Affected by	VCID-vzq7-t235-ukd5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/dompurify/CVE-2025-26791.yml	38.1.0
2026-04-03T00:33:51.410733+00:00	GitLab Importer	Fixing	VCID-gmsu-xfke-47bg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/dompurify/CVE-2024-45801.yml	38.1.0
2026-04-02T12:40:02.273587+00:00	GitLab Importer	Fixing	VCID-gmsu-xfke-47bg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/dompurify/CVE-2024-45801.yml	38.0.0
2026-04-01T16:06:24.705923+00:00	GHSA Importer	Fixing	VCID-gmsu-xfke-47bg	https://github.com/advisories/GHSA-mmhx-hmjr-r674	38.0.0
2026-04-01T12:49:50.074671+00:00	GithubOSV Importer	Fixing	VCID-gmsu-xfke-47bg	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-mmhx-hmjr-r674/GHSA-mmhx-hmjr-r674.json	38.0.0