FKIE_CVE-2026-0540

Vulnerability from fkie_nvd - Published: 2026-03-03 18:16 - Updated: 2026-03-25 16:16
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex. Attackers can include payloads like </noscript><img src=x onerror=alert(1)> in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.
References
help@fluidattacks.comhttps://fluidattacks.com/advisories/daft
help@fluidattacks.comhttps://github.com/cure53/DOMPurifyProduct
help@fluidattacks.comhttps://github.com/cure53/DOMPurify/commit/302b51de22535cc90235472c52e3401bedd46f80
help@fluidattacks.comhttps://github.com/cure53/DOMPurify/releases/tag/3.3.2
help@fluidattacks.comhttps://www.vulncheck.com/advisories/dompurify-xss-via-missing-rawtext-elements-in-safe-for-xmlThird Party Advisory
Impacted products
Vendor Product Version
cure53 dompurify *
cure53 dompurify *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:cure53:dompurify:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C22E0FEE-2372-417A-844F-551C74F3E0AE",
              "versionEndIncluding": "2.5.8",
              "versionStartIncluding": "2.5.3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cure53:dompurify:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A8A0F3E6-D011-485E-941C-D0C68AB314D5",
              "versionEndIncluding": "3.3.1",
              "versionStartIncluding": "3.1.3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex. Attackers can include payloads like \u003c/noscript\u003e\u003cimg src=x onerror=alert(1)\u003e in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts."
    },
    {
      "lang": "es",
      "value": "DOMPurify 3.1.3 a 3.3.1 y 2.5.3 a 2.5.8, corregido en la confirmaci\u00f3n 729097f, contienen una vulnerabilidad de secuencias de comandos entre sitios que permite a los atacantes eludir la desinfecci\u00f3n de atributos aprovechando cinco elementos de texto sin formato que faltan (noscript, xmp, noembed, noframes, iframe) en la expresi\u00f3n regular SAFE_FOR_XML. Los atacantes pueden incluir cargas \u00fatiles como  en los valores de los atributos para ejecutar JavaScript cuando la salida saneada se coloca dentro de estos contextos de texto sin formato desprotegidos."
    }
  ],
  "id": "CVE-2026-0540",
  "lastModified": "2026-03-25T16:16:10.060",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "help@fluidattacks.com",
        "type": "Secondary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "LOW",
          "subIntegrityImpact": "LOW",
          "userInteraction": "PASSIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "help@fluidattacks.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-03T18:16:24.457",
  "references": [
    {
      "source": "help@fluidattacks.com",
      "url": "https://fluidattacks.com/advisories/daft"
    },
    {
      "source": "help@fluidattacks.com",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/cure53/DOMPurify"
    },
    {
      "source": "help@fluidattacks.com",
      "url": "https://github.com/cure53/DOMPurify/commit/302b51de22535cc90235472c52e3401bedd46f80"
    },
    {
      "source": "help@fluidattacks.com",
      "url": "https://github.com/cure53/DOMPurify/releases/tag/3.3.2"
    },
    {
      "source": "help@fluidattacks.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.vulncheck.com/advisories/dompurify-xss-via-missing-rawtext-elements-in-safe-for-xml"
    }
  ],
  "sourceIdentifier": "help@fluidattacks.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "help@fluidattacks.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.