CVE-2026-0540
📋 TL;DR
This CVE describes a cross-site scripting (XSS) vulnerability in DOMPurify that allows attackers to bypass HTML sanitization when output is placed in XML contexts. Attackers can inject malicious JavaScript payloads by exploiting missing rawtext elements in the SAFE_FOR_XML regex. This affects applications using vulnerable versions of DOMPurify for sanitizing user input in XML contexts.
💻 Affected Systems
- DOMPurify
📦 What is this software?
Dompurify by Cure53
Dompurify by Cure53
⚠️ Risk & Real-World Impact
Worst Case
Full account takeover, data theft, or malware distribution via persistent XSS attacks affecting all users of vulnerable applications.
Likely Case
Session hijacking, credential theft, or defacement of web applications that process user-generated content with vulnerable DOMPurify versions.
If Mitigated
Limited impact if proper Content Security Policies are implemented and input validation occurs before DOMPurify processing.
🎯 Exploit Status
Exploit requires attacker to control input that gets processed by vulnerable DOMPurify and rendered in XML context. Public proof-of-concept available in advisory references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in commit 729097f (DOMPurify 3.3.2 and 2.5.9+)
Vendor Advisory: https://github.com/cure53/DOMPurify/commit/fca0a938b4261ddc9c0293a289935a9029c049f5
Restart Required: No
Instructions:
1. Update DOMPurify to version 3.3.2 or later (for v3.x) or 2.5.9 or later (for v2.x). 2. Update package.json to specify patched version. 3. Run npm update dompurify or equivalent package manager command. 4. Rebuild and redeploy application.
🔧 Temporary Workarounds
Disable XML mode
allAvoid using DOMPurify in SAFE_FOR_XML mode if not required for your application.
// In JavaScript configuration: DOMPurify.sanitize(input, {SAFE_FOR_XML: false})
Content Security Policy
allImplement strict Content Security Policy to mitigate impact of successful XSS exploitation.
// HTTP header: Content-Security-Policy: script-src 'self'
🧯 If You Can't Patch
- Implement additional input validation to reject payloads containing rawtext elements like </noscript>, </xmp>, </noembed>, </noframes>, </iframe>
- Use output encoding specific to XML contexts when placing sanitized content in XML documents
🔍 How to Verify
Check if Vulnerable:
Check package.json or node_modules/dompurify/package.json for version number. If version is between 3.1.3-3.3.1 or 2.5.3-2.5.8, you are vulnerable when using XML mode.Check Version:
npm list dompurify | grep dompurify (for Node.js) or check browser console: DOMPurify.versionVerify Fix Applied:
Verify DOMPurify version is 3.3.2+ or 2.5.9+. Test with known payload: </noscript><img src=x onerror=alert(1)> in XML context should be properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests containing rawtext element patterns
- Increased error rates in XML parsing
Network Indicators:
- Requests containing </noscript>, </xmp>, </noembed>, </noframes>, or </iframe> patterns in parameters
SIEM Query:
source="web_logs" AND ("</noscript>" OR "</xmp>" OR "</noembed>" OR "</noframes>" OR "</iframe>")