CVE-2026-41240

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions DOMPurify versions prior to 3.4.0

Description An inconsistency exists between the handling of FORBID TAGS and FORBID ATTR when a function-based ADD TAGS configuration is used. Specifically, when the EXTRA ELEMENT HANDLING.tagCheck function returns true, a short-circuit evaluation occurs that bypasses the FORBID TAGS check. This allows forbidden elements, such as iframe, object, embed, and form, to bypass sanitization and remain in the output with their attributes intact.

Recommendations Update to version 3.4.0.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-183CWE-79

Related Identifiers

CLEANSTART-2026-BE61221

CLEANSTART-2026-LC05413

CVE-2026-41240

GHSA-H7MW-GPVR-XQ4M

OPENSUSE-SU-2026:10888-1

Affected Products

Dompurify

CVE-2026-41240

Weakness Enumeration

Related Identifiers

Affected Products

References · 214