DOM-only Cross-Site Scripting Vulnerability in DOMPurify by Cure53
CVE-2026-49458
6.1MEDIUM
What is CVE-2026-49458?
The vulnerability in DOMPurify allows attackers to exploit improper sanitization of foreign-realm DOM nodes. Prior to version 3.4.6, the sanitize method failed to execute valid security checks, permitting executable markup to bypass sanitization phases. This significantly compromises the integrity of web applications relying on DOMPurify for safety against cross-site scripting attacks. The issue has been addressed in version 3.4.6, which enhances the security controls associated with DOM node processing.
Affected Version(s)
DOMPurify < 3.4.6
