CVE-2026-0540

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-0540
DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex. Attackers can include payloads like </noscript><img src=x onerror=alert(1)> in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.

6.1 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://fluidattacks.com/advisories/daft
https://github.com/cure53/DOMPurify Product
https://github.com/cure53/DOMPurify/commit/302b51de22535cc90235472c52e3401bedd46f80
https://github.com/cure53/DOMPurify/releases/tag/3.3.2
https://www.vulncheck.com/advisories/dompurify-xss-via-missing-rawtext-elements-in-safe-for-xml Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:cure53:dompurify:*:*:*:*:*:*:*:*
cpe:2.3:a:cure53:dompurify:*:*:*:*:*:*:*:*
History

25 Mar 2026, 15:16

Type Values Removed Values Added
References
  • {'url': 'https://github.com/cure53/DOMPurify/commit/fca0a938b4261ddc9c0293a289935a9029c049f5', 'tags': ['Patch'], 'source': 'disclosure@vulncheck.com'}
  • () https://fluidattacks.com/advisories/daft -
  • () https://github.com/cure53/DOMPurify/commit/302b51de22535cc90235472c52e3401bedd46f80 -
  • () https://github.com/cure53/DOMPurify/releases/tag/3.3.2 -
References () https://github.com/cure53/DOMPurify - Product () https://github.com/cure53/DOMPurify - Product
References () https://www.vulncheck.com/advisories/dompurify-xss-via-missing-rawtext-elements-in-safe-for-xml - Third Party Advisory () https://www.vulncheck.com/advisories/dompurify-xss-via-missing-rawtext-elements-in-safe-for-xml - Third Party Advisory
Summary
  • (es) DOMPurify 3.1.3 a 3.3.1 y 2.5.3 a 2.5.8, corregido en la confirmación 729097f, contienen una vulnerabilidad de secuencias de comandos entre sitios que permite a los atacantes eludir la desinfección de atributos aprovechando cinco elementos de texto sin formato que faltan (noscript, xmp, noembed, noframes, iframe) en la expresión regular SAFE_FOR_XML. Los atacantes pueden incluir cargas útiles como en los valores de los atributos para ejecutar JavaScript cuando la salida saneada se coloca dentro de estos contextos de texto sin formato desprotegidos.
Summary (en) DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 729097f, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex. Attackers can include payloads like </noscript><img src=x onerror=alert(1)> in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts. (en) DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex. Attackers can include payloads like </noscript><img src=x onerror=alert(1)> in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.

05 Mar 2026, 00:03

Type Values Removed Values Added
References () https://github.com/cure53/DOMPurify - () https://github.com/cure53/DOMPurify - Product
References () https://github.com/cure53/DOMPurify/commit/fca0a938b4261ddc9c0293a289935a9029c049f5 - () https://github.com/cure53/DOMPurify/commit/fca0a938b4261ddc9c0293a289935a9029c049f5 - Patch
References () https://www.vulncheck.com/advisories/dompurify-xss-via-missing-rawtext-elements-in-safe-for-xml - () https://www.vulncheck.com/advisories/dompurify-xss-via-missing-rawtext-elements-in-safe-for-xml - Third Party Advisory
First Time Cure53
Cure53 dompurify
CPE cpe:2.3:a:cure53:dompurify:*:*:*:*:*:*:*:*

03 Mar 2026, 20:16

Type Values Removed Values Added
References
  • {'url': 'https://www.vulncheck.com/advisories/dompurify-xss-via-missing-rawtext-elements-in-safeforxml', 'source': 'disclosure@vulncheck.com'}
  • () https://www.vulncheck.com/advisories/dompurify-xss-via-missing-rawtext-elements-in-safe-for-xml -

03 Mar 2026, 18:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-03 18:16

Updated : 2026-03-25 16:16

NVD link : CVE-2026-0540

Mitre link : CVE-2026-0540

CVE.ORG link : CVE-2026-0540

JSON object : View

Products Affected

cure53

  • dompurify
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')