Description
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Starting in version 1.0.10 and prior to version 3.4.0, `SAFE_FOR_TEMPLATES` strips `{{...}}` expressions from untrusted HTML. This works in string mode but not with `RETURN_DOM` or `RETURN_DOM_FRAGMENT`, allowing XSS via template-evaluating frameworks like Vue 2. Version 3.4.0 patches the issue.
Published: 2026-04-23
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting via template bypass
Action: Patch
AI Analysis

Impact

DOMPurify’s SAFE_FOR_TEMPLATES option fails to strip {{…}} expressions when used with the RETURN_DOM or RETURN_DOM_FRAGMENT modes. This allows attackers to inject malicious template code that is processed by template‑evaluating frameworks such as Vue 2, resulting in client‑side cross‑site scripting. The vulnerability is a classic CWEs 79 and 1289 code‑injection flaw that can compromise the confidentiality, integrity, and availability of a web application for any authenticated or unauthenticated user depending on the input surface.

Affected Systems

The issue affects the DOMPurify library supplied by cure53. It is present in all releases starting with version 1.0.10 up to, but not including, the 3.4.0 release. Any deployment that uses DOMPurify v1.x or v2.x/3.x with the RETURN_DOM family in the specified range is potentially vulnerable.

Risk and Exploitability

With a CVSS score of 6.8 the vulnerability is classified as moderate. The EPSS score is below 1 % and it does not appear in the CISA KEV catalog, indicating low to very low current exploitation probability. Nevertheless, the attack vector is straightforward: any user can supply forged content that is sanitized via RETURN_DOM. Once processed by a vulnerable framework that interprets {{…}} syntax, the attacker can execute arbitrary JavaScript in the victim’s browser. The risk is amplified in applications that dynamically render untrusted content using DOMPurify in the affected modes.

Generated by OpenCVE AI on April 28, 2026 at 07:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade DOMPurify to version 3.4.0 or later, which removes the template stripping bug.
  • If upgrading is not immediately possible, disable the RETURN_DOM and RETURN_DOM_FRAGMENT modes for untrusted input or configure DOMPurify to strip template expressions manually.
  • Audit all code paths that employ DOMPurify with template‑evaluating frameworks and ensure that only safe, non‑templated input reaches the browser or consider using stricter sanitization settings.

Generated by OpenCVE AI on April 28, 2026 at 07:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-crv5-9vww-q3g8 DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode
History

Mon, 27 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Cure53
Cure53 dompurify
Vendors & Products Cure53
Cure53 dompurify

Sun, 26 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Sat, 25 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Description DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Starting in version 1.0.10 and prior to version 3.4.0, `SAFE_FOR_TEMPLATES` strips `{{...}}` expressions from untrusted HTML. This works in string mode but not with `RETURN_DOM` or `RETURN_DOM_FRAGMENT`, allowing XSS via template-evaluating frameworks like Vue 2. Version 3.4.0 patches the issue.
Title DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode
Weaknesses CWE-1289
CWE-79
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Cure53 Dompurify
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-25T01:21:43.094Z

Reserved: 2026-04-18T03:47:03.135Z

Link: CVE-2026-41239

cve-icon Vulnrichment

Updated: 2026-04-25T01:21:38.842Z

cve-icon NVD

Status : Deferred

Published: 2026-04-23T16:16:26.560

Modified: 2026-04-23T16:18:41.563

Link: CVE-2026-41239

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-23T14:47:56Z

Links: CVE-2026-41239 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T07:45:26Z

Weaknesses