dompurify vulnerabilities

Browse known CVEs and advisories by package and ecosystem. Severity tells you the worst case. What determines real risk is whether the vulnerable code actually runs in your applications.

Get a demo

Browse by ecosystem

npmPyPIMavenGoRubyGemsCargoNuGetComposerpubSwiftGitHub Actions
CVE-IDSeverityPackage summary
GHSA-CMWH-PVXP-8882Mediumdompurify: DOMPurify: Permanent `ALLOWED_ATTR` pollution via `setConfig()` bypassing the hook clone-guard…GHSA-VXR8-FQ34-VVX9Lowdompurify: DOMPurify: Trusted Types policy survives `clearConfig()` and can poison later `RETURN_TRUSTED_TYPE`…GHSA-GVMJ-G25R-R7WRLowdompurify: DOMPurify: SAFE_FOR_TEMPLATES bypass - template expressions survive sanitization inside <template>…CVE-2026-49978Mediumdompurify: DOMPurify IN_PLACE Sanitization Bypass via Attached Shadow Root Inside <template>.contentGHSA-X4VX-RJVF-J5P4Lowdompurify: DOMPurify: `IN_PLACE` mode trusts attacker-controlled `nodeName` on live non-form nodes, allowing…GHSA-76MC-F452-CXCMMediumdompurify: DOMPurify: Hook mutation of `data.allowedTags` / `data.allowedAttributes` permanently pollutes…CVE-2026-49458Mediumdompurify: DOMPurify: Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound…CVE-2026-49459Mediumdompurify: DOMPurify: IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via…CVE-2026-47423Highdompurify: DOMPurify XSS via selectedcontent re-cloneCVE-2026-41240Mediumdompurify: DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR…CVE-2026-41239Mediumdompurify: DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM modeCVE-2026-41238Mediumdompurify: DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING FallbackGHSA-39Q2-94RC-95CPMediumdompurify: DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluationGHSA-CJMM-F4JC-QW8RMediumdompurify: DOMPurify ADD_ATTR predicate skips URI validationGHSA-CJ63-JHHR-WCXVMediumdompurify: DOMPurify USE_PROFILES prototype pollution allows event handlersGHSA-H8R8-WCCR-V5F2Mediumdompurify: DOMPurify is vulnerable to mutation-XSS via Re-Contextualization CVE-2026-0540Mediumdompurify: DOMPurify contains a Cross-site Scripting vulnerabilityCVE-2025-15599Mediumdompurify: DOMPurify contains a Cross-site Scripting vulnerabilityCVE-2025-26791Mediumdompurify: DOMPurify allows Cross-site Scripting (XSS)CVE-2024-48910Criticaldompurify: DOMPurify vulnerable to tampering by prototype polutionCVE-2024-47875Highdompurify: DOMpurify has a nesting-based mXSSCVE-2024-45801Highdompurify: DOMPurify allows tampering by prototype pollutionCVE-2019-25155Mediumdompurify: DOMPurify Open Redirect vulnerabilityGHSA-H6P3-P4VX-WR8QMediumdompurify: dompurify vulnerable to Cross-site ScriptingGHSA-PGJV-JRG2-GQ3VMediumdompurify: dompurify vulnerable to Cross-site Scripting

Stop the waste.
Protect your environment with Kodem.