CVE-2026-49978

Name of the Vulnerable Software and Affected Versions DOMPurify (affected versions not specified)

Description An issue exists where the sanitizer skips the contents of a shadow DOM attached to an element inside a <template> element. This allows malicious payloads, such as images with onerror handlers, links with javascript: URLs, or script tags, to remain untouched during the sanitization process. When the application clones the template and inserts it into the page, the payload executes, leading to Cross-Site Scripting (XSS), which is a technique used to inject malicious scripts into web pages. This can result in the theft of session cookies and stored tokens, allowing an attacker to act as the user or leave persistent payloads for other visitors.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.