CVE-2026-41239

Name of the Vulnerable Software and Affected Versions DOMPurify versions 1.0.10 through 3.3.x

Description When the SAFE FOR TEMPLATES configuration is enabled, the software is intended to strip {{...}} expressions from untrusted HTML to prevent cross-site scripting (XSS) in template-evaluating frameworks like Vue 2. However, this process fails when using the RETURN DOM or RETURN DOM FRAGMENT options. While the software performs a per-node check and a final string scrub, the RETURN DOM path exits before the final scrub occurs. An attacker can bypass the initial check by splitting template expressions across multiple text nodes using disallowed tags. When the software removes these tags, the remaining text nodes merge into a valid template expression that is then executed by the framework.

Recommendations Update to version 3.4.0. As a temporary workaround, avoid using the RETURN DOM or RETURN DOM FRAGMENT options when SAFE FOR TEMPLATES is enabled.