Vulnerability-Lookup

CVE-2026-0540 (GCVE-0-2026-0540)

Vulnerability from cvelistv5 – Published: 2026-03-03 17:26 – Updated: 2026-03-25 15:52 X_Open Source

Title

DOMPurify XSS via Missing Rawtext Elements in SAFE_FOR_XML

Summary

DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex. Attackers can include payloads like </noscript><img src=x onerror=alert(1)> in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.

Severity ?

5.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Assigner

VulnCheck

References

URL

Tags

	https://github.com/cure53/DOMPurify	product
	https://github.com/cure53/DOMPurify/commit/302b51…	patch
	https://github.com/cure53/DOMPurify/releases/tag/3.3.2	release-notes
	https://fluidattacks.com/advisories/daft	third-party-advisory
	https://www.vulncheck.com/advisories/dompurify-xs…	third-party-advisory

Impacted products

	Vendor	Product	Version
	cure53	DOMPurify	Affected: 3.1.3 , ≤ 3.3.1 (semver) Affected: 2.5.3 , ≤ 2.5.8 (semver)

Date Public ?

2026-03-24 14:30

Credits

Camilo Vera - Fluid Attacks Cristian Vargas - Fluid Attacks Scott Moore - VulnCheck

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-0540",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-03T19:01:28.294008Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-03T19:02:09.216Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "DOMPurify",
          "vendor": "cure53",
          "versions": [
            {
              "lessThanOrEqual": "3.3.1",
              "status": "affected",
              "version": "3.1.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "2.5.8",
              "status": "affected",
              "version": "2.5.3",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:cure53:dompurify:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "3.3.1",
                  "versionStartIncluding": "3.1.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:cure53:dompurify:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "2.5.8",
                  "versionStartIncluding": "2.5.3",
                  "vulnerable": true
                }
              ],
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Camilo Vera - Fluid Attacks"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Cristian Vargas - Fluid Attacks"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Scott Moore - VulnCheck"
        }
      ],
      "datePublic": "2026-03-24T14:30:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eDOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex. Attackers can include payloads like \u0026lt;/noscript\u0026gt;\u0026lt;img src=x onerror=alert(1)\u0026gt; in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.\u003c/p\u003e"
            }
          ],
          "value": "DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex. Attackers can include payloads like \u003c/noscript\u003e\u003cimg src=x onerror=alert(1)\u003e in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-25T15:52:12.404Z",
        "orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
        "shortName": "Fluid Attacks"
      },
      "references": [
        {
          "name": "DOMPurify GitHub Repository",
          "tags": [
            "product"
          ],
          "url": "https://github.com/cure53/DOMPurify"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/cure53/DOMPurify/commit/302b51de22535cc90235472c52e3401bedd46f80"
        },
        {
          "name": "VulnCheck Advisory: DOMPurify XSS via Missing Rawtext Elements in SAFE_FOR_XML",
          "tags": [
            "release-notes"
          ],
          "url": "https://github.com/cure53/DOMPurify/releases/tag/3.3.2"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://fluidattacks.com/advisories/daft"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/dompurify-xss-via-missing-rawtext-elements-in-safe-for-xml"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "tags": [
        "x_open-source"
      ],
      "title": "DOMPurify XSS via Missing Rawtext Elements in SAFE_FOR_XML",
      "x_generator": {
        "engine": "scooter"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2026-0540",
    "datePublished": "2026-03-03T17:26:06.621Z",
    "dateReserved": "2025-12-27T01:44:44.145Z",
    "dateUpdated": "2026-03-25T15:52:12.404Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-0540\",\"sourceIdentifier\":\"help@fluidattacks.com\",\"published\":\"2026-03-03T18:16:24.457\",\"lastModified\":\"2026-03-25T16:16:10.060\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex. Attackers can include payloads like \u003c/noscript\u003e\u003cimg src=x onerror=alert(1)\u003e in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.\"},{\"lang\":\"es\",\"value\":\"DOMPurify 3.1.3 a 3.3.1 y 2.5.3 a 2.5.8, corregido en la confirmaci\u00f3n 729097f, contienen una vulnerabilidad de secuencias de comandos entre sitios que permite a los atacantes eludir la desinfecci\u00f3n de atributos aprovechando cinco elementos de texto sin formato que faltan (noscript, xmp, noembed, noframes, iframe) en la expresi\u00f3n regular SAFE_FOR_XML. Los atacantes pueden incluir cargas \u00fatiles como  en los valores de los atributos para ejecutar JavaScript cuando la salida saneada se coloca dentro de estos contextos de texto sin formato desprotegidos.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"help@fluidattacks.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"LOW\",\"subIntegrityImpact\":\"LOW\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"help@fluidattacks.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"help@fluidattacks.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:cure53:dompurify:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.5.3\",\"versionEndIncluding\":\"2.5.8\",\"matchCriteriaId\":\"C22E0FEE-2372-417A-844F-551C74F3E0AE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:cure53:dompurify:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.1.3\",\"versionEndIncluding\":\"3.3.1\",\"matchCriteriaId\":\"A8A0F3E6-D011-485E-941C-D0C68AB314D5\"}]}]}],\"references\":[{\"url\":\"https://fluidattacks.com/advisories/daft\",\"source\":\"help@fluidattacks.com\"},{\"url\":\"https://github.com/cure53/DOMPurify\",\"source\":\"help@fluidattacks.com\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/cure53/DOMPurify/commit/302b51de22535cc90235472c52e3401bedd46f80\",\"source\":\"help@fluidattacks.com\"},{\"url\":\"https://github.com/cure53/DOMPurify/releases/tag/3.3.2\",\"source\":\"help@fluidattacks.com\"},{\"url\":\"https://www.vulncheck.com/advisories/dompurify-xss-via-missing-rawtext-elements-in-safe-for-xml\",\"source\":\"help@fluidattacks.com\",\"tags\":[\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-0540\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-03T19:01:28.294008Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-03T19:02:02.973Z\"}}], \"cna\": {\"tags\": [\"x_open-source\"], \"title\": \"DOMPurify XSS via Missing Rawtext Elements in SAFE_FOR_XML\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Camilo Vera - Fluid Attacks\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Cristian Vargas - Fluid Attacks\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Scott Moore - VulnCheck\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 5.3, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"LOW\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"LOW\", \"vulnConfidentialityImpact\": \"NONE\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 6.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"cure53\", \"product\": \"DOMPurify\", \"versions\": [{\"status\": \"affected\", \"version\": \"3.1.3\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"3.3.1\"}, {\"status\": \"affected\", \"version\": \"2.5.3\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"2.5.8\"}], \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2026-03-24T14:30:00.000Z\", \"references\": [{\"url\": \"https://github.com/cure53/DOMPurify\", \"name\": \"DOMPurify GitHub Repository\", \"tags\": [\"product\"]}, {\"url\": \"https://github.com/cure53/DOMPurify/commit/302b51de22535cc90235472c52e3401bedd46f80\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.com/cure53/DOMPurify/releases/tag/3.3.2\", \"name\": \"VulnCheck Advisory: DOMPurify XSS via Missing Rawtext Elements in SAFE_FOR_XML\", \"tags\": [\"release-notes\"]}, {\"url\": \"https://fluidattacks.com/advisories/daft\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://www.vulncheck.com/advisories/dompurify-xss-via-missing-rawtext-elements-in-safe-for-xml\", \"tags\": [\"third-party-advisory\"]}], \"x_generator\": {\"engine\": \"scooter\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex. Attackers can include payloads like \u003c/noscript\u003e\u003cimg src=x onerror=alert(1)\u003e in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eDOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex. Attackers can include payloads like \u0026lt;/noscript\u0026gt;\u0026lt;img src=x onerror=alert(1)\u0026gt; in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:cure53:dompurify:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"3.3.1\", \"versionStartIncluding\": \"3.1.3\"}, {\"criteria\": \"cpe:2.3:a:cure53:dompurify:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"2.5.8\", \"versionStartIncluding\": \"2.5.3\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"84fe0718-d6bb-4716-a7e8-81a6d1daa869\", \"shortName\": \"Fluid Attacks\", \"dateUpdated\": \"2026-03-25T15:52:12.404Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-0540\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-25T15:52:12.404Z\", \"dateReserved\": \"2025-12-27T01:44:44.145Z\", \"assignerOrgId\": \"83251b91-4cc7-4094-a5c7-464a1b83ea10\", \"datePublished\": \"2026-03-03T17:26:06.621Z\", \"assignerShortName\": \"VulnCheck\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-V2WJ-7WPQ-C8VV

Vulnerability from github – Published: 2026-03-03 18:31 – Updated: 2026-03-30 14:51

Summary

DOMPurify contains a Cross-site Scripting vulnerability

Details

DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in 2.5.9 and 3.3.2, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex. Attackers can include payloads like </noscript><img src=x onerror=alert(1)> in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.

Severity ?

6.1 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

5.1 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.3.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "dompurify"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.1.3"
            },
            {
              "fixed": "3.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.5.8"
      },
      "package": {
        "ecosystem": "npm",
        "name": "dompurify"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.5.3"
            },
            {
              "fixed": "2.5.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-0540"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-04T20:51:54Z",
    "nvd_published_at": "2026-03-03T18:16:24Z",
    "severity": "MODERATE"
  },
  "details": "DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in 2.5.9 and 3.3.2, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the `SAFE_FOR_XML` regex. Attackers can include payloads like `\u003c/noscript\u003e\u003cimg src=x onerror=alert(1)\u003e` in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.",
  "id": "GHSA-v2wj-7wpq-c8vv",
  "modified": "2026-03-30T14:51:32Z",
  "published": "2026-03-03T18:31:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0540"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cure53/DOMPurify/commit/302b51de22535cc90235472c52e3401bedd46f80"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cure53/DOMPurify/commit/fca0a938b4261ddc9c0293a289935a9029c049f5"
    },
    {
      "type": "WEB",
      "url": "https://fluidattacks.com/advisories/daft"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cure53/DOMPurify"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cure53/DOMPurify/releases/tag/3.3.2"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/dompurify-xss-via-missing-rawtext-elements-in-safe-for-xml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "DOMPurify contains a Cross-site Scripting vulnerability"
}

FKIE_CVE-2026-0540

Vulnerability from fkie_nvd - Published: 2026-03-03 18:16 - Updated: 2026-03-25 16:16

Severity ?

6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

References

URL	Tags
help@fluidattacks.com	https://fluidattacks.com/advisories/daft
help@fluidattacks.com	https://github.com/cure53/DOMPurify	Product
help@fluidattacks.com	https://github.com/cure53/DOMPurify/commit/302b51de22535cc90235472c52e3401bedd46f80
help@fluidattacks.com	https://github.com/cure53/DOMPurify/releases/tag/3.3.2
help@fluidattacks.com	https://www.vulncheck.com/advisories/dompurify-xss-via-missing-rawtext-elements-in-safe-for-xml	Third Party Advisory

Impacted products

	Vendor	Product	Version
	cure53	dompurify	*
	cure53	dompurify	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:cure53:dompurify:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C22E0FEE-2372-417A-844F-551C74F3E0AE",
              "versionEndIncluding": "2.5.8",
              "versionStartIncluding": "2.5.3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cure53:dompurify:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A8A0F3E6-D011-485E-941C-D0C68AB314D5",
              "versionEndIncluding": "3.3.1",
              "versionStartIncluding": "3.1.3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex. Attackers can include payloads like \u003c/noscript\u003e\u003cimg src=x onerror=alert(1)\u003e in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts."
    },
    {
      "lang": "es",
      "value": "DOMPurify 3.1.3 a 3.3.1 y 2.5.3 a 2.5.8, corregido en la confirmaci\u00f3n 729097f, contienen una vulnerabilidad de secuencias de comandos entre sitios que permite a los atacantes eludir la desinfecci\u00f3n de atributos aprovechando cinco elementos de texto sin formato que faltan (noscript, xmp, noembed, noframes, iframe) en la expresi\u00f3n regular SAFE_FOR_XML. Los atacantes pueden incluir cargas \u00fatiles como  en los valores de los atributos para ejecutar JavaScript cuando la salida saneada se coloca dentro de estos contextos de texto sin formato desprotegidos."
    }
  ],
  "id": "CVE-2026-0540",
  "lastModified": "2026-03-25T16:16:10.060",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "help@fluidattacks.com",
        "type": "Secondary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "LOW",
          "subIntegrityImpact": "LOW",
          "userInteraction": "PASSIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "help@fluidattacks.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-03T18:16:24.457",
  "references": [
    {
      "source": "help@fluidattacks.com",
      "url": "https://fluidattacks.com/advisories/daft"
    },
    {
      "source": "help@fluidattacks.com",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/cure53/DOMPurify"
    },
    {
      "source": "help@fluidattacks.com",
      "url": "https://github.com/cure53/DOMPurify/commit/302b51de22535cc90235472c52e3401bedd46f80"
    },
    {
      "source": "help@fluidattacks.com",
      "url": "https://github.com/cure53/DOMPurify/releases/tag/3.3.2"
    },
    {
      "source": "help@fluidattacks.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.vulncheck.com/advisories/dompurify-xss-via-missing-rawtext-elements-in-safe-for-xml"
    }
  ],
  "sourceIdentifier": "help@fluidattacks.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "help@fluidattacks.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-0540 (GCVE-0-2026-0540)

GHSA-V2WJ-7WPQ-C8VV

FKIE_CVE-2026-0540

Tags

Sightings

Nomenclature