dompurify · threatengine.sh

CVE-2026-41240

< 3.4.0

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions prior to 3.4.0 have an inconsistency be

6.1MEDIUM

CVE-2026-0540

>= 2.5.3 and <= 2.5.8

DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that

6.1MEDIUM

CVE-2025-15599

>= 2.5.3 and <= 2.5.8

DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass

6.1MEDIUM

CVE-2025-26791

< 3.2.4

DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting (m

4.5MEDIUM

CVE-2024-48910

< 2.4.2

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify was vulnerable to prototype p

9.1CRITICAL

CVE-2024-47875

< 2.5.0

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to nesting-bas

10.0CRITICAL

CVE-2024-45801

< 2.5.4

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It has been discovered that malicious H

7.3HIGH

CVE-2019-25155

< 1.0.11

DOMPurify before 1.0.11 allows reverse tabnabbing in demos/hooks-target-blank-demo.html because links lack a 'rel="noopener norefe

6.1MEDIUM

CVE-2020-26870

< 2.0.17

Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return th

6.1MEDIUM

CVE-2019-16728

< 2.0.1

DOMPurify before 2.0.1 allows XSS because of innerHTML mutation XSS (mXSS) for an SVG element or a MATH element, as demonstrated b

6.1MEDIUM

cure53 dompurify