216.73.216.233

CVE-2026-41238

· Published 23/04/2026 16:16 · Modified 23/04/2026 18:16

Labels: CVE-2026-41238 2026-04-23CVE-2026-41238CWE-79[email protected]

Essential information

Published
23/04/2026 16:16
Modified
23/04/2026 18:16
Author
Creator
CVSS
6.9 MEDIUM (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N

CVSS metrics

Description

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions 3.0.1 through 3.3.3 are vulnerable to a prototype pollution-based XSS bypass. When an application uses `DOMPurify.sanitize()` with the default configuration (no `CUSTOM_ELEMENT_HANDLING` option), a prior prototype pollution gadget can inject permissive `tagNameCheck` and `attributeNameCheck` regex values into `Object.prototype`, causing DOMPurify to allow arbitrary custom elements with arbitrary attributes — including event handlers — through sanitization. Version 3.4.0 fixes the issue.

NVD status

Status
Deferred — When a CVE is given this status the NVD does not plan analyze or re-analyze this CVE due to resource or other concerns.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
dompurify / dompurify cpe:2.3:a:dompurify:dompurify:3.0.1-3.3.3:*:*:*:*:*:*:*
dompurify / dompurify cpe:2.3:a:dompurify:dompurify:3.4.0:*:*:*:*:*:*:*

References