Description
DOMSanitizer is a DOM/SVG/MathML Sanitizer for PHP 7.3+. Prior to version 1.0.10, DOMSanitizer::sanitize() allows <style> elements in SVG content but never inspects their text content. CSS url() references and @import rules pass through unfiltered, causing the browser to issue HTTP requests to attacker-controlled hosts when the sanitized SVG is rendered. Version 1.0.10 fixes the issue.
Published: 2026-04-17
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized network requests via CSS injection
Action: Apply patch
AI Analysis

Impact

DOMSanitizer does not inspect the contents of <style> tags embedded in SVG files, allowing attackers to inject CSS url() references and @import directives. When the sanitized SVG is rendered in a browser, those unfiltered directives trigger HTTP requests to attacker‑controlled hosts. The vulnerability can lead to covert exfiltration of data or unexpected network traffic, but it does not provide direct code execution or privilege escalation. The CVSS score of 4.7 indicates a moderate impact.

Affected Systems

The flaw is present in the rhukster:dom‑sanitizer library for PHP 7.3 and above prior to release version 1.0.10. Any PHP application that uses DOMSanitizer::sanitize() and renders SVG content could be affected.

Risk and Exploitability

The moderate CVSS score combined with the lack of an official KEV listing suggests that exploitation frequency is low to moderate. An attacker would need to supply or influence SVG content that is processed by DOMSanitizer and subsequently rendered in a browser, making the vulnerability highly context‑dependent. Without the patch, browsers will still perform network requests based on the malformed styles, which could be detected if outbound traffic is monitored.

Generated by OpenCVE AI on April 18, 2026 at 08:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update dom‑sanitizer to version 1.0.10 or later to remove the <style> injection flaw.
  • If an update is not immediately possible, pre‑process SVG input to strip or escape <style> tags before passing it to DOMSanitizer.
  • Audit the application’s SVG handling paths to ensure no unsanitized user input reaches the browser.

Generated by OpenCVE AI on April 18, 2026 at 08:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-93vf-569f-22cq rhukster/dom-sanitizer: SVG <style> tag allows CSS injection via unfiltered url() and @import directives
History

Mon, 20 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Rhukster
Rhukster dom-sanitizer
Vendors & Products Rhukster
Rhukster dom-sanitizer
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Description DOMSanitizer is a DOM/SVG/MathML Sanitizer for PHP 7.3+. Prior to version 1.0.10, DOMSanitizer::sanitize() allows <style> elements in SVG content but never inspects their text content. CSS url() references and @import rules pass through unfiltered, causing the browser to issue HTTP requests to attacker-controlled hosts when the sanitized SVG is rendered. Version 1.0.10 fixes the issue.
Title rhukster/dom-sanitizer: SVG <style> tag allows CSS injection via unfiltered url() and @import directives
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N'}

Subscriptions

Rhukster Dom-sanitizer
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-20T14:57:39.192Z

Reserved: 2026-04-10T20:22:44.036Z

Link: CVE-2026-40301

cve-icon Vulnrichment

Updated: 2026-04-20T14:42:32.819Z

cve-icon NVD

Status : Deferred

Published: 2026-04-17T21:16:34.850

Modified: 2026-04-29T21:04:10.060

Link: CVE-2026-40301

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T14:59:36Z

Weaknesses