Dompurify

This hub aggregates every CVE we track for Dompurify, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 13 most recently published vulnerabilities affecting Dompurify.

• CVE-2026-41240DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)6.1Apr 23, 2026
• CVE-2026-41239DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode6.8Apr 23, 2026
• CVE-2026-41238DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback6.9Apr 23, 2026
• CVE-2026-0540DOMPurify XSS via Missing Rawtext Elements in SAFE_FOR_XML6.1Mar 3, 2026
• CVE-2025-15599DOMPurify XSS via Textarea Rawtext Bypass in SAFE_FOR_XML6.1Mar 3, 2026
• CVE-2025-48050In DOMPurify through 3.2.5 before 6bc6d60, scripts/server.js does not ensure that a pathname is located under the current working directory. NOTE: the Supplier disputes the significance of this rep...7.5May 15, 2025
• CVE-2025-26791DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting (mXSS).4.5Feb 14, 2025
• CVE-2024-48910DOMPurify vulnerable to tampering by prototype polution9.1Oct 31, 2024
• CVE-2024-47875DOMPurify nesting-based mXSS10.0Oct 11, 2024
• CVE-2024-45801Tampering by prototype polution in DOMPurify7.3Sep 16, 2024
• CVE-2019-25155DOMPurify before 1.0.11 allows reverse tabnabbing in demos/hooks-target-blank-demo.html because links lack a 'rel="noopener noreferrer"' attribute.6.1Oct 31, 2023
• CVE-2020-26870Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML...6.1Oct 7, 2020
• CVE-2019-16728DOMPurify before 2.0.1 allows XSS because of innerHTML mutation XSS (mXSS) for an SVG element or a MATH element, as demonstrated by Chrome and Safari.6.1Sep 24, 2019