Vulnerability Description
DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex. Attackers can include payloads like </noscript><img src=x onerror=alert(1)> in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Cure53 | Dompurify | >= 2.5.3, <= 2.5.8 |
Related Weaknesses (CWE)
References
- https://fluidattacks.com/advisories/daft
- https://github.com/cure53/DOMPurifyProduct
- https://github.com/cure53/DOMPurify/commit/302b51de22535cc90235472c52e3401bedd46
- https://github.com/cure53/DOMPurify/releases/tag/3.3.2
- https://www.vulncheck.com/advisories/dompurify-xss-via-missing-rawtext-elements-Third Party Advisory
FAQ
What is CVE-2026-0540?
CVE-2026-0540 is a vulnerability with a CVSS score of 6.1 (MEDIUM). DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five m...
How severe is CVE-2026-0540?
CVE-2026-0540 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-0540?
Check the references section above for vendor advisories and patch information. Affected products include: Cure53 Dompurify.