DOM-only Cross-Site Scripting Vulnerability in DOMPurify by Cure53
CVE-2026-49458

6.1MEDIUM

Key Information:

Vendor

Cure53

Status
Vendor
CVE Published:
14 July 2026

What is CVE-2026-49458?

The vulnerability in DOMPurify allows attackers to exploit improper sanitization of foreign-realm DOM nodes. Prior to version 3.4.6, the sanitize method failed to execute valid security checks, permitting executable markup to bypass sanitization phases. This significantly compromises the integrity of web applications relying on DOMPurify for safety against cross-site scripting attacks. The issue has been addressed in version 3.4.6, which enhances the security controls associated with DOM node processing.

Affected Version(s)

DOMPurify < 3.4.6

References

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.