DNA View

CVE-2026-0540

Medium

Low Medium High Critical

6.1

CVSS Score

Published: Mar 03, 2026

Last Modified: Mar 25, 2026

CWE: CWE-79

Vulnerability Description

DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex. Attackers can include payloads like </noscript><img src=x onerror=alert(1)> in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.

CVSS Metrics

Common Vulnerability Scoring System

Vector String:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Known Affected Software

20 configuration(s) from 1 vendor(s)

dompurify

Version:

2.5.6

CPE:

cpe:2.3:a:cure53:dompurify:2.5.6:*:*:*:*:*:*:*

dompurify

Version:

3.2.7

CPE:

cpe:2.3:a:cure53:dompurify:3.2.7:*:*:*:*:*:*:*

dompurify

Version:

2.5.5

CPE:

cpe:2.3:a:cure53:dompurify:2.5.5:*:*:*:*:*:*:*

dompurify

Version:

2.5.4

CPE:

cpe:2.3:a:cure53:dompurify:2.5.4:*:*:*:*:*:*:*

dompurify

Version:

3.1.7

CPE:

cpe:2.3:a:cure53:dompurify:3.1.7:*:*:*:*:*:*:*

dompurify

Version:

3.2.2

CPE:

cpe:2.3:a:cure53:dompurify:3.2.2:*:*:*:*:*:*:*

dompurify

Version:

3.2.4

CPE:

cpe:2.3:a:cure53:dompurify:3.2.4:*:*:*:*:*:*:*

dompurify

Version:

3.1.6

CPE:

cpe:2.3:a:cure53:dompurify:3.1.6:*:*:*:*:*:*:*

dompurify

Version:

3.1.4

CPE:

cpe:2.3:a:cure53:dompurify:3.1.4:*:*:*:*:*:*:*

dompurify

Version:

3.1.5

CPE:

cpe:2.3:a:cure53:dompurify:3.1.5:*:*:*:*:*:*:*

dompurify

Version:

3.2.3

CPE:

cpe:2.3:a:cure53:dompurify:3.2.3:*:*:*:*:*:*:*

dompurify

Version:

2.5.8

CPE:

cpe:2.3:a:cure53:dompurify:2.5.8:*:*:*:*:*:*:*

dompurify

Version:

3.2.1

CPE:

cpe:2.3:a:cure53:dompurify:3.2.1:*:*:*:*:*:*:*

dompurify

Version:

2.5.7

CPE:

cpe:2.3:a:cure53:dompurify:2.5.7:*:*:*:*:*:*:*

dompurify

Version:

3.2.5

CPE:

cpe:2.3:a:cure53:dompurify:3.2.5:*:*:*:*:*:*:*

dompurify

Version:

3.1.3

CPE:

cpe:2.3:a:cure53:dompurify:3.1.3:*:*:*:*:*:*:*

dompurify

Version:

3.3.0

CPE:

cpe:2.3:a:cure53:dompurify:3.3.0:*:*:*:*:*:*:*

dompurify

Version:

3.2.6

CPE:

cpe:2.3:a:cure53:dompurify:3.2.6:*:*:*:*:*:*:*

dompurify

Version:

2.5.3

CPE:

cpe:2.3:a:cure53:dompurify:2.5.3:*:*:*:*:*:*:*

dompurify

Version:

3.2.0

CPE:

cpe:2.3:a:cure53:dompurify:3.2.0:*:*:*:*:*:*:*

This vulnerability affects 20 software configuration(s). Ensure you patch all affected systems.

Available Security Patches

1 patch available from vendors

View All Patches

Oracle

CPUAPR2026

Oracle Critical Patch Update Advisory - April 2026

Severity

Critical

Released

Apr 21, 2026

Restart Required

Security Update

View Details Vendor Page

Browse All Security Patches

References & Resources

Severity Details

6.1

out of 10.0

Medium

Weakness Type (CWE)

CWE-79 Top 25 #1

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description: The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Exploit Likelihood: High
Typical Severity: Medium
OWASP Top 10: A03:2021-Injection
Abstraction Level: Base