Prototype Pollution Vulnerability in DOMPurify by Cure53
CVE-2026-41238

6.9MEDIUM

Key Information:

Vendor

Cure53

Status
Dompurify
Vendor
CVE Published:
23 April 2026

What is CVE-2026-41238?

CVE-2026-41238 is a significant vulnerability affecting DOMPurify, a popular open-source library used for sanitizing HTML, MathML, and SVG to prevent cross-site scripting (XSS) attacks. This vulnerability is categorized as a prototype pollution-based XSS bypass, impacting versions 3.0.1 through 3.3.3 of the software. When an application utilizes the DOMPurify.sanitize() function with its default configuration, the vulnerability can be exploited by injecting manipulative regex values into Object.prototype. This allows attackers to bypass security measures, enabling them to use arbitrary custom elements and attributes, including event handlers, during the sanitization process. Such weaknesses can pose a serious risk for organizations relying on this library to secure their web applications, as it undermines the essential protective layer against XSS threats.

Potential impact of CVE-2026-41238

  1. XSS Vulnerabilities: The primary impact of this vulnerability lies in its potential to facilitate XSS attacks. If attackers can inject malicious scripts through sanitized inputs, they could execute arbitrary JavaScript in the context of the user’s browser, leading to data theft, session hijacking, or further exploitation of the web application.

  2. Unauthorized Access and Control: Due to the ability to circumvent sanitization, attackers could exploit this vulnerability to gain unauthorized access to sensitive application functionality. This could lead to account takeovers or manipulation of critical application processes, severely compromising user data and the integrity of the application.

  3. Reputational and Financial Damage: Exploitation of this vulnerability can result in significant reputational harm and financial losses for organizations. The fallout from a successful attack may include legal consequences, loss of customer trust, and remediation costs—especially if sensitive data is compromised or leaked due to inadequate security measures.

Affected Version(s)

DOMPurify >= 3.0.1, < 3.4.0

References

https://github.com/cure53/DOMPurify/security/advisories/G...
x_refsource_CONFIRM
https://github.com/cure53/DOMPurify/releases/tag/3.4.0
x_refsource_MISC

CVSS V3.1

Score:
6.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.