Security: cure53/DOMPurify
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluationGHSA-39q2-94rc-95cp published
Apr 15, 2026 by cure53Moderate -
DOMPurify IN_PLACE mode fails to sanitize cross-window DOM elements, allowing XSS bypassGHSA-4w3q-35jp-p934 published
Apr 1, 2026 by cure53Low -
XSS via ADD_ATTR/ADD_TAGS Function Predicate State Leakage Across sanitize() CallsGHSA-9p3w-6h5p-cv75 published
Apr 1, 2026 by cure53Low -
DOMPurify ADD_ATTR predicate skips URI validationGHSA-cjmm-f4jc-qw8r published
Apr 1, 2026 by cure53Moderate -
DOMPurify USE_PROFILES prototype pollution allows event handlersGHSA-cj63-jhhr-wcxv published
Apr 1, 2026 by cure53Moderate -
DOMPurify mXSS via Re-ContextualizationGHSA-h8r8-wccr-v5f2 published
Mar 25, 2026 by cure53Moderate -
Tampering by prototype polutionGHSA-p3vf-v8qc-cwcr published
Oct 31, 2024 by cure53Critical -
nesting-based mXSSGHSA-gx9m-whjm-85jf published
Oct 11, 2024 by cure53Critical -
Tampering by prototype polutionGHSA-mmhx-hmjr-r674 published
Sep 16, 2024 by cure53High