CVE-2026-0540 - Vulnerability Details

- DOMPurify XSS via Missing Rawtext Elements in SAFE_FOR_XML

Description

DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex. Attackers can include payloads like </noscript><img src=x onerror=alert(1)> in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.

Published: 2026-03-03

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8 allows an attacker to insert JavaScript into attribute values that bypass normal sanitization. By crafting payloads such as </noscript><img src=x onerror=alert(1)>, the attacker can cause code execution when the output is later placed inside rawtext elements – noscript, xmp, noembed, noframes, or iframe – where attribute sanitization is not enforced.

Affected Systems

This vulnerability affects the DOMPurify library distributed by cure53. Affected versions include 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8. Any web application that integrates these releases and outputs sanitized HTML into rawtext contexts is potentially impacted.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. EPSS is below 1 % and the issue is not listed in the CISA KEV catalog, suggesting limited exploitation activity to date. The likely attack vector involves an attacker providing malicious input to a web application that uses DOMPurify to sanitize that input before rendering it inside rawtext elements. Successful exploitation would enable the attacker to run JavaScript in the victim’s browser session, compromising confidentiality, integrity, or other aspects of the application or user data.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

cure53

DOMPurify

unaffected

Version	Status	Constraints
`3.1.3`	affected	≤ 3.3.1
`2.5.3`	affected	≤ 2.5.8

Configuration 1 [-]

OR	cpe:2.3:a:cure53:dompurify::::::::
	cpe:2.3:a:cure53:dompurify::::::::

No data.

Vendor Product Confidence Versions

Cure53

Dompurify

95%

Version	Status	Scheme	Platform
`[3.1.3,3.3.1]`	affected	semver	—
`[2.5.3,2.5.8]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade DOMPurify to version 3.3.2 or later, which includes a fix for the rawtext element bypass.
If an upgrade is not immediately possible, remove or escape usage of the five rawtext elements (noscript, xmp, noembed, noframes, iframe) in the output rendering logic to prevent the bypass from occurring.
Implement a Content Security Policy that restricts script execution from user‑supplied content, adding an additional safeguard against accidental XSS.

Generated by OpenCVE AI on April 16, 2026 at 14:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-v2wj-7wpq-c8vv	DOMPurify contains a Cross-site Scripting vulnerability

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://fluidattacks.com/advisories/daft
https://github.com/cure53/DOMPurify
https://github.com/cure53/DOMPurify/commit/302b51de22535cc90235472c52e3401bedd46f80
https://github.com/cure53/DOMPurify/commit/fca0a938b4261ddc9c0293a289935a9029c049f5
https://github.com/cure53/DOMPurify/releases/tag/3.3.2
https://nvd.nist.gov/vuln/detail/CVE-2026-0540
https://www.cve.org/CVERecord?id=CVE-2026-0540
https://www.vulncheck.com/advisories/dompurify-xss-via-missing-rawtext-elements-in-safe-for-xml
https://www.vulncheck.com/advisories/dompurify-xss-via-missing-rawtext-elements-in-safeforxml

History

Wed, 25 Mar 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}`	cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}`

Wed, 25 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
References		https://github.com/cure53/DOMPurify/releases/tag/3.3.2

Wed, 25 Mar 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description	DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 729097f, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex. Attackers can include payloads like </noscript><img src=x onerror=alert(1)> in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.	DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex. Attackers can include payloads like </noscript><img src=x onerror=alert(1)> in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.
References		https://fluidattacks.com/advisories/daft https://github.com/cure53/DOMPurify/commit/302b51de22535cc90235472c52e3401bedd46f80

Wed, 04 Mar 2026 12:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-0540 https://www.cve.org/CVERecord?id=CVE-2026-0540 https://www.vulncheck.com/advisories/dompurify-xss-via-missing-rawtext-elements-in-safeforxml
Metrics	threat_severity `None`	threat_severity `Moderate`

Tue, 03 Mar 2026 20:30:00 +0000

Type	Values Removed	Values Added
References	https://www.vulncheck.com/advisories/dompurify-xss-via-missing-rawtext-elements-in-safeforxml

Tue, 03 Mar 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 03 Mar 2026 18:30:00 +0000

Type	Values Removed	Values Added
References		https://www.vulncheck.com/advisories/dompurify-xss-via-missing-rawtext-elements-in-safe-for-xml

Tue, 03 Mar 2026 17:30:00 +0000

Type	Values Removed	Values Added
Description		DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 729097f, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex. Attackers can include payloads like </noscript><img src=x onerror=alert(1)> in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.
Title		DOMPurify XSS via Missing Rawtext Elements in SAFE_FOR_XML
First Time appeared		Cure53 Cure53 dompurify
Weaknesses		CWE-79
CPEs		cpe:2.3:a:cure53:dompurify::::::::
Vendors & Products		Cure53 Cure53 dompurify
References		https://github.com/cure53/DOMPurify https://github.com/cure53/DOMPurify/commit/fca0a938b4261ddc9c0293a289935a9029c049f5 https://www.vulncheck.com/advisories/dompurify-xss-via-missing-rawtext-elements-in-safeforxml
Metrics		cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}` cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}`

Subscriptions

Cure53 Dompurify

MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2026-03-03T17:26:06.621Z

Updated: 2026-03-25T15:52:12.404Z

Reserved: 2025-12-27T01:44:44.145Z

Link: CVE-2026-0540

Vulnrichment

Updated: 2026-03-03T19:02:02.973Z

NVD

Status : Modified

Published: 2026-03-03T18:16:24.457

Modified: 2026-03-25T16:16:10.060

Link: CVE-2026-0540

Redhat

Severity : Moderate

Publid Date: 2026-03-03T17:26:06Z

Links: CVE-2026-0540 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-16T14:15:28Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object