DOM-only Cross-Site Scripting Vulnerability in DOMPurify Affects Multiple Versions
CVE-2026-49459

6.1MEDIUM

Key Information:

Vendor

Cure53

Status
Vendor
CVE Published:
14 July 2026

What is CVE-2026-49459?

A vulnerability in DOMPurify, a DOM-only sanitizer for HTML, MathML, and SVG, allows attackers to preserve event-handler attributes on a controlled root. This occurs when descendant names overwrite properties monitored by the sanitization process. The _forceRemove function does not operate effectively on parent-less roots, and the _sanitizeAttributes method returns prematurely, leading to potential exploitation. This issue has been resolved in version 3.4.6 of DOMPurify, which implements necessary checks to prevent such vulnerabilities.

Affected Version(s)

DOMPurify < 3.4.6

References

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.