CVE-2026-0540

Name of the Vulnerable Software and Affected Versions DOMPurify versions 2.5.3 through 2.5.8 DOMPurify versions 3.1.3 through 3.3.1

Description DOMPurify contains a cross-site scripting issue that allows attackers to bypass attribute sanitization. This bypass is achieved by exploiting missing rawtext elements (noscript, xmp, noembed, noframes, iframe) within the SAFE FOR XML regular expression. Attackers can inject payloads, such as , into attribute values. When the sanitized output is placed within these unprotected rawtext contexts, the JavaScript payload can be executed.

Recommendations Update to a version of DOMPurify that includes commit 729097f.