Description
DOMSanitizer is a DOM/SVG/MathML Sanitizer for PHP 7.3+. Prior to version 1.0.10, DOMSanitizer::sanitize() allows <style> elements in SVG content but never inspects their text content. CSS url() references and @import rules pass through unfiltered, causing the browser to issue HTTP requests to attacker-controlled hosts when the sanitized SVG is rendered. Version 1.0.10 fixes the issue.
Published: 2026-04-17
Score: 4.7 Medium
EPSS: n/a
KEV: No
Impact: Unauthorized network requests via CSS injection
Action: Apply patch
AI Analysis

Impact

DOMSanitizer does not inspect the contents of <style> tags embedded in SVG files, allowing attackers to inject CSS url() references and @import directives. When the sanitized SVG is rendered in a browser, those unfiltered directives trigger HTTP requests to attacker‑controlled hosts. The vulnerability can lead to covert exfiltration of data or unexpected network traffic, but it does not provide direct code execution or privilege escalation. The CVSS score of 4.7 indicates a moderate impact.

Affected Systems

The flaw is present in the rhukster:dom‑sanitizer library for PHP 7.3 and above prior to release version 1.0.10. Any PHP application that uses DOMSanitizer::sanitize() and renders SVG content could be affected.

Risk and Exploitability

The moderate CVSS score combined with the lack of an official KEV listing suggests that exploitation frequency is low to moderate. An attacker would need to supply or influence SVG content that is processed by DOMSanitizer and subsequently rendered in a browser, making the vulnerability highly context‑dependent. Without the patch, browsers will still perform network requests based on the malformed styles, which could be detected if outbound traffic is monitored.

Generated by OpenCVE AI on April 18, 2026 at 08:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update dom‑sanitizer to version 1.0.10 or later to remove the <style> injection flaw.
  • If an update is not immediately possible, pre‑process SVG input to strip or escape <style> tags before passing it to DOMSanitizer.
  • Audit the application’s SVG handling paths to ensure no unsanitized user input reaches the browser.

Generated by OpenCVE AI on April 18, 2026 at 08:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-93vf-569f-22cq rhukster/dom-sanitizer: SVG <style> tag allows CSS injection via unfiltered url() and @import directives
History

Fri, 17 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Description DOMSanitizer is a DOM/SVG/MathML Sanitizer for PHP 7.3+. Prior to version 1.0.10, DOMSanitizer::sanitize() allows <style> elements in SVG content but never inspects their text content. CSS url() references and @import rules pass through unfiltered, causing the browser to issue HTTP requests to attacker-controlled hosts when the sanitized SVG is rendered. Version 1.0.10 fixes the issue.
Title rhukster/dom-sanitizer: SVG <style> tag allows CSS injection via unfiltered url() and @import directives
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-17T20:51:37.226Z

Reserved: 2026-04-10T20:22:44.036Z

Link: CVE-2026-40301

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-17T21:16:34.850

Modified: 2026-04-17T21:16:34.850

Link: CVE-2026-40301

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T09:00:05Z

Weaknesses