DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 729097f, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex. Attackers can include payloads like </noscript><img src=x onerror=alert(1)> in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions
cure53 DOMPurify affected
Version Status Constraints
3.1.3 affected ≤ 3.3.1
2.5.3 affected ≤ 2.5.8

No data.

No data.

No data.

Project Subscriptions

Vendors Products
Cure53 Subscribe
Dompurify Subscribe
Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
https://github.com/cure53/DOMPurify cve-icon cve-icon
https://github.com/cure53/DOMPurify/commit/fca0a938b4261ddc9c0293a289935a9029c049f5 cve-icon cve-icon
https://www.vulncheck.com/advisories/dompurify-xss-via-missing-rawtext-elements-in-safe-for-xml cve-icon
https://www.vulncheck.com/advisories/dompurify-xss-via-missing-rawtext-elements-in-safeforxml cve-icon
History

Tue, 03 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
References

Tue, 03 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 729097f, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex. Attackers can include payloads like </noscript><img src=x onerror=alert(1)> in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.
Title DOMPurify XSS via Missing Rawtext Elements in SAFE_FOR_XML
First Time appeared Cure53
Cure53 dompurify
Weaknesses CWE-79
CPEs cpe:2.3:a:cure53:dompurify:*:*:*:*:*:*:*:*
Vendors & Products Cure53
Cure53 dompurify
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-03T19:02:09.216Z

Reserved: 2025-12-27T01:44:44.145Z

Link: CVE-2026-0540

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-03T18:16:24.457

Modified: 2026-03-03T18:16:24.457

Link: CVE-2026-0540

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses