Description
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions prior to 3.4.0 have an inconsistency between FORBID_TAGS and FORBID_ATTR handling when function-based ADD_TAGS is used. Commit c361baa added an early exit for FORBID_ATTR at line 1214. The same fix was not applied to FORBID_TAGS. At line 1118-1123, when EXTRA_ELEMENT_HANDLING.tagCheck returns true, the short-circuit evaluation skips the FORBID_TAGS check entirely. This allows forbidden elements to survive sanitization with their attributes intact. Version 3.4.0 patches the issue.
Published: 2026-04-23
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

DOMPurify is a client‑side sanitizer that removes unsafe markup from user‑supplied content. The vulnerability stems from an inconsistency between the FORBID_TAGS and FORBID_ATTR handling when developers supply a function‑based ADD_TAGS predicate. The short‑circuit logic in the sanitizer skips the FORBID_TAGS check, letting disallowed elements and their attributes remain in the output. As a result, an attacker can inject forbidden tags that execute scripts or perform other malicious actions, constituting a cross‑site scripting issue.

Affected Systems

Affected systems include any application that uses the DOMPurify library from cure53 prior to release 3.4.0. This covers all versions older than 3.4.0 that employ function‑based add_tags predicates. The issue is fixed in DOMPurify 3.4.0, so users should verify the library version in their codebase and upgrade accordingly.

Risk and Exploitability

The CVSS score is 6, marking the bug as moderate severity. The EPSS score of fewer than 1% indicates a low likelihood of active exploitation at present. The vulnerability is not listed in the KEV catalog. Exploitation is client‑side only, and the attacker would need to supply crafted input that uses a function‑based add_tags predicate to bypass the forbidden tags check and inject malicious markup. The resulting XSS could lead to data theft, session hijacking, or defacement. Prompt patching or removal of vulnerable usage patterns reduces the attack surface.

Generated by OpenCVE AI on April 28, 2026 at 14:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade DOMPurify to version 3.4.0 or later.
  • Avoid using function‑based ADD_TAGS predicates until the upgrade is applied; replace them with explicit tag lists if necessary.
  • Implement a Content Security Policy that restricts inline scripts and disallows unsafeEval to mitigate remaining XSS risk.

Generated by OpenCVE AI on April 28, 2026 at 14:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h7mw-gpvr-xq4m DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)
History

Wed, 29 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:cure53:dompurify:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Wed, 29 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

threat_severity

Moderate

Tue, 28 Apr 2026 02:00:00 +0000

Type Values Removed Values Added
First Time appeared Cure53
Cure53 dompurify
Vendors & Products Cure53
Cure53 dompurify

Thu, 23 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Description DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions prior to 3.4.0 have an inconsistency between FORBID_TAGS and FORBID_ATTR handling when function-based ADD_TAGS is used. Commit c361baa added an early exit for FORBID_ATTR at line 1214. The same fix was not applied to FORBID_TAGS. At line 1118-1123, when EXTRA_ELEMENT_HANDLING.tagCheck returns true, the short-circuit evaluation skips the FORBID_TAGS check entirely. This allows forbidden elements to survive sanitization with their attributes intact. Version 3.4.0 patches the issue.
Title DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)
Weaknesses CWE-183
CWE-79
References
Metrics cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Cure53 Dompurify
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-23T17:21:30.547Z

Reserved: 2026-04-18T03:47:03.135Z

Link: CVE-2026-41240

cve-icon Vulnrichment

Updated: 2026-04-23T17:21:16.648Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T16:16:26.710

Modified: 2026-04-29T14:58:30.117

Link: CVE-2026-41240

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-23T14:54:32Z

Links: CVE-2026-41240 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T15:00:14Z

Weaknesses