Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:npm/dompurify@3.2.7
purl pkg:npm/dompurify@3.2.7
Next non-vulnerable version 3.3.2
Latest non-vulnerable version 3.4.0
Risk 3.1
Vulnerabilities affecting this package (1)
Vulnerability Summary Fixed by
VCID-ps3s-bymy-dkbc
Aliases:
CVE-2026-0540
GHSA-v2wj-7wpq-c8vv
DOMPurify contains a Cross-site Scripting vulnerability DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in 2.5.9 and 3.3.2, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the `SAFE_FOR_XML` regex. Attackers can include payloads like `</noscript><img src=x onerror=alert(1)>` in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.
3.3.2
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-mv6v-re2k-g3gn DOMPurify contains a Cross-site Scripting vulnerability DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. Attackers can include closing rawtext tags like </textarea> in attribute values to break out of rawtext contexts and execute JavaScript when sanitized output is placed inside rawtext elements. The 3.x branch was fixed in 3.2.7; the 2.x branch was never patched. CVE-2025-15599
GHSA-v8jm-5vwx-cfxm

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-17T00:29:43.306421+00:00 GitLab Importer Fixing VCID-mv6v-re2k-g3gn https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/dompurify/CVE-2025-15599.yml 38.4.0
2026-04-17T00:29:23.442531+00:00 GitLab Importer Affected by VCID-ps3s-bymy-dkbc https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/dompurify/CVE-2026-0540.yml 38.4.0
2026-04-12T01:54:26.136617+00:00 GitLab Importer Fixing VCID-mv6v-re2k-g3gn https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/dompurify/CVE-2025-15599.yml 38.3.0
2026-04-12T01:54:06.040616+00:00 GitLab Importer Affected by VCID-ps3s-bymy-dkbc https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/dompurify/CVE-2026-0540.yml 38.3.0
2026-04-05T04:21:57.932994+00:00 GitLab Importer Fixing VCID-mv6v-re2k-g3gn https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/dompurify/CVE-2025-15599.yml 38.1.0
2026-04-05T04:21:39.761474+00:00 GitLab Importer Affected by VCID-ps3s-bymy-dkbc https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/dompurify/CVE-2026-0540.yml 38.1.0
2026-04-01T16:08:19.336667+00:00 GHSA Importer Fixing VCID-mv6v-re2k-g3gn https://github.com/advisories/GHSA-v8jm-5vwx-cfxm 38.0.0
2026-04-01T12:53:40.966843+00:00 GithubOSV Importer Fixing VCID-mv6v-re2k-g3gn https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-v8jm-5vwx-cfxm/GHSA-v8jm-5vwx-cfxm.json 38.0.0