CVE-2026-41238

Name of the Vulnerable Software and Affected Versions DOMPurify versions 3.0.1 through 3.3.3

Description DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. A prototype pollution-based XSS bypass exists when the DOMPurify.sanitize() function is used with the default configuration, specifically when the CUSTOM ELEMENT HANDLING option is not provided. In this scenario, a prototype pollution gadget can inject permissive regex values into Object.prototype for the variables tagNameCheck and attributeNameCheck. This allows arbitrary custom elements and attributes, including event handlers, to bypass sanitization. This issue occurs because the fallback object used for CUSTOM ELEMENT HANDLING inherits from Object.prototype, allowing polluted values to flow into the custom element and attribute validation process.

Recommendations Update DOMPurify to version 3.4.0. As a temporary workaround, provide an explicit CUSTOM ELEMENT HANDLING configuration when calling DOMPurify.sanitize() by setting tagNameCheck and attributeNameCheck to null.