dompurify
npm10 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting dompurifypage 1 of 1
- CVE-2019-16728MEDIUMCVSS 6.1EG 6.1✓ Fixed in 2.0.32019-09-24
DOMPurify before 2.0.1 allows XSS because of innerHTML mutation XSS (mXSS) for an SVG element or a MATH element, as demonstrated by Chrome and Safari.
- CVE-2019-25155MEDIUMCVSS 6.1EG 6.1✓ Fixed in 1.0.112023-11-07
DOMPurify before 1.0.11 allows reverse tabnabbing in demos/hooks-target-blank-demo.html because links lack a 'rel="noopener noreferrer"' attribute.
- CVE-2020-26870MEDIUMCVSS 6.1EG 6.1✓ Fixed in 2.0.172020-10-07
Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM eleme…
- CVE-2024-45801HIGHCVSS 7.3EG 7.3✓ Fixed in 3.1.32024-09-16
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It …
- CVE-2024-47875CRITICALCVSS 10.0EG 10.0✓ Fixed in 3.1.32024-10-11
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to nesting-based mXSS. This vulnerability is fixed in 2.5.0 and 3.1.3.
- CVE-2024-48910CRITICALCVSS 9.1EG 9.1✓ Fixed in 2.4.22024-10-31
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify was vulnerable to prototype pollution. This vulnerability is fixed in 2.4.2.
- CVE-2025-26791MEDIUMCVSS 4.5EG 4.5✓ Fixed in 3.2.42025-02-14
DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting (mXSS).
- CVE-2026-41238MEDIUMCVSS 6.9EG 6.9✓ Fixed in 3.4.02026-04-23
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions 3.0.1 through 3.3.3 are vulnerable to a prototype pollution-based XSS bypass. When an application uses `DOMPurify.sanitize()` with the default confi…
- CVE-2026-41239MEDIUMCVSS 6.8EG 6.8✓ Fixed in 3.4.02026-04-23
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Starting in version 1.0.10 and prior to version 3.4.0, `SAFE_FOR_TEMPLATES` strips `{{...}}` expressions from untrusted HTML. This works in string mode but n…
- CVE-2026-41240MEDIUMCVSS 6.1EG 6.1✓ Fixed in 3.4.02026-04-23
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions prior to 3.4.0 have an inconsistency between FORBID_TAGS and FORBID_ATTR handling when function-based ADD_TAGS is used. Commit c361baa added an earl…
Check whether dompurify is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for dompurify CVEs against the assets you own.
Start Free Scan →