DOM-only Cross-Site Scripting Vulnerability in DOMPurify Affects Multiple Versions
CVE-2026-49459
6.1MEDIUM
What is CVE-2026-49459?
A vulnerability in DOMPurify, a DOM-only sanitizer for HTML, MathML, and SVG, allows attackers to preserve event-handler attributes on a controlled root. This occurs when descendant names overwrite properties monitored by the sanitization process. The _forceRemove function does not operate effectively on parent-less roots, and the _sanitizeAttributes method returns prematurely, leading to potential exploitation. This issue has been resolved in version 3.4.6 of DOMPurify, which implements necessary checks to prevent such vulnerabilities.
Affected Version(s)
DOMPurify < 3.4.6
