Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:npm/dompurify@2.5.9
purl pkg:npm/dompurify@2.5.9
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-ps3s-bymy-dkbc DOMPurify contains a Cross-site Scripting vulnerability DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in 2.5.9 and 3.3.2, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the `SAFE_FOR_XML` regex. Attackers can include payloads like `</noscript><img src=x onerror=alert(1)>` in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts. CVE-2026-0540
GHSA-v2wj-7wpq-c8vv

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-06T06:40:18.808179+00:00 GitLab Importer Fixing VCID-ps3s-bymy-dkbc https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/dompurify/CVE-2026-0540.yml 38.1.0
2026-04-01T16:08:19.372072+00:00 GHSA Importer Fixing VCID-ps3s-bymy-dkbc https://github.com/advisories/GHSA-v2wj-7wpq-c8vv 38.0.0
2026-04-01T12:54:01.740539+00:00 GithubOSV Importer Fixing VCID-ps3s-bymy-dkbc https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-v2wj-7wpq-c8vv/GHSA-v2wj-7wpq-c8vv.json 38.0.0