Description
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions 3.0.1 through 3.3.3 are vulnerable to a prototype pollution-based XSS bypass. When an application uses `DOMPurify.sanitize()` with the default configuration (no `CUSTOM_ELEMENT_HANDLING` option), a prior prototype pollution gadget can inject permissive `tagNameCheck` and `attributeNameCheck` regex values into `Object.prototype`, causing DOMPurify to allow arbitrary custom elements with arbitrary attributes — including event handlers — through sanitization. Version 3.4.0 fixes the issue.
Published: 2026-04-23
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site scripting (XSS) bypass
Action: Immediate Patch
AI Analysis

Impact

DOMPurify, a widely used DOM‑only XSS sanitizer, contains a prototype‑pollution flaw that allows an attacker to inject custom regex patterns into Object.prototype. When an application calls DOMPurify.sanitize() with its default settings, the overridden tagNameCheck and attributeNameCheck functions permit arbitrary custom elements and attributes, including event handlers, to pass through sanitization. The result is an XSS vector that can execute malicious scripts in the user’s browser, compromising confidentiality and integrity of client‑side data.

Affected Systems

The vulnerability affects the cure53 library DOMPurify versions 3.0.1 through 3.3.3. Versions 3.4.0 and later contain a fix that removes the prototype‑pollution path.

Risk and Exploitability

The CVSS score of 6.9 rates the vulnerability as moderate severity, while the EPSS score of less than 1% indicates a low likelihood of widespread exploitation. The flaw is not listed in the CISA KEV catalog. Based on the description, it is inferred that attackers must first achieve prototype pollution to place malicious regexes in Object.prototype before a DOMPurify.sanitize() call occurs. Based on the description, it is inferred that this typically requires a preceding vulnerability or vulnerability chain in the target application, making the attack vector indirect and contingent on prior conditions.

Generated by OpenCVE AI on April 28, 2026 at 14:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade DOMPurify to version 3.4.0 or later.
  • Audit all DOMPurify.sanitize() calls to confirm they use the default configuration or explicitly enable CUSTOM_ELEMENT_HANDLING only when necessary.
  • Scan application code for prior prototype pollution vulnerabilities or any operations that modify Object.prototype before sanitization.
  • Run functional tests to validate that custom elements and attributes are blocked after the update.

Generated by OpenCVE AI on April 28, 2026 at 14:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v9jr-rg53-9pgp DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback
History

Mon, 27 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Cure53
Cure53 dompurify
Vendors & Products Cure53
Cure53 dompurify

Sun, 26 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-915
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 23 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Description DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions 3.0.1 through 3.3.3 are vulnerable to a prototype pollution-based XSS bypass. When an application uses `DOMPurify.sanitize()` with the default configuration (no `CUSTOM_ELEMENT_HANDLING` option), a prior prototype pollution gadget can inject permissive `tagNameCheck` and `attributeNameCheck` regex values into `Object.prototype`, causing DOMPurify to allow arbitrary custom elements with arbitrary attributes — including event handlers — through sanitization. Version 3.4.0 fixes the issue.
Title DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback
Weaknesses CWE-1321
CWE-79
References
Metrics cvssV3_1

{'score': 6.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N'}

Subscriptions

Cure53 Dompurify
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-23T16:22:34.174Z

Reserved: 2026-04-18T03:47:03.135Z

Link: CVE-2026-41238

cve-icon Vulnrichment

Updated: 2026-04-23T16:20:21.140Z

cve-icon NVD

Status : Deferred

Published: 2026-04-23T16:16:26.420

Modified: 2026-04-23T18:16:29.073

Link: CVE-2026-41238

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-23T14:43:17Z

Links: CVE-2026-41238 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T15:00:14Z

Weaknesses