Cross-Site Scripting Vulnerability in DOMPurify Product by Cure53
CVE-2026-0540

5.3MEDIUM

Key Information:

Vendor

Cure53

Status
Dompurify
Vendor
CVE Published:
3 March 2026

What is CVE-2026-0540?

DOMPurify, a popular HTML sanitization library, is affected by a cross-site scripting vulnerability due to insufficient attribute sanitization in certain versions. Specifically, the vulnerability arises from the absence of protection for five rawtext elements, namely noscript, xmp, noembed, noframes, and iframe, within the SAFE_FOR_XML regex. Attackers can exploit this issue by injecting malicious payloads into attribute values, which may allow them to execute arbitrary JavaScript when the sanitized output is rendered in contexts that do not enforce the necessary restrictions.

Affected Version(s)

DOMPurify 3.1.3 <= 3.3.1

DOMPurify 2.5.3 <= 2.5.8

References

https://github.com/cure53/DOMPurify
product
https://github.com/cure53/DOMPurify/commit/302b51de22535c...
patch
https://github.com/cure53/DOMPurify/releases/tag/3.3.2
release-notes

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Scott Moore - VulnCheck
.