What is the CVSS score of CVE-2025-26791?

CVE-2025-26791 has a CVSS 3.1 base score of 4.5 (Medium). CVSS vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N. EPSS exploitation probability: 0.2%.

Which versions of Dompurify are affected by CVE-2025-26791?

Organizations using DOMPurify before 3.2.4 should be aware of moderate risk from CVE-2025-26791, a cross-site scripting vulnerability rated CVSS 4.5.. A patch is available.

Is there a public PoC exploit available for CVE-2025-26791?

Yes, a public proof-of-concept exploit is available for CVE-2025-26791. Prioritise patching immediately. EPSS: 0.2%.

How to fix or mitigate CVE-2025-26791?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Verify Content-Security-Policy and output encoding.

Dompurify CVE-2025-26791

MEDIUM

Cross-site Scripting (XSS) (CWE-79)

2025-02-14 cve@mitre.org

XSS Dompurify Red Hat Suse

4.5

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

4.5 MEDIUM

AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

SUSE

MEDIUM

qualitative

Red Hat

4.5 MEDIUM

qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Local

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:26 vuln.today

Patch released

Mar 28, 2026 - 18:26 nvd

Patch available

PoC Detected

Oct 07, 2025 - 20:56 vuln.today

Public exploit code

CVE Published

Feb 14, 2025 - 09:15 nvd

MEDIUM 4.5

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

237 npm packages depend on dompurify (71 direct, 170 indirect)

Ecosystem-wide dependent count for version 3.2.4.

DescriptionCVE.org

DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting (mXSS).

AnalysisAI

DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting (mXSS). Rated medium severity (CVSS 4.5), this vulnerability is no authentication required. Public exploit code available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting (mXSS). Affected products include: Cure53 Dompurify. Version information: before 3.2.4.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

Vendor StatusVendor

SUSE

Severity: Medium

Product	Status
openSUSE Tumbleweed	Fixed
SUSE Linux Enterprise Server 16.0	Fixed
SUSE Linux Enterprise Server 16.1	Fixed
SUSE Linux Enterprise Server for SAP applications 16.0	Fixed
SUSE Linux Enterprise Server for SAP applications 16.1	Fixed

CVE-2025-26791 vulnerability details – vuln.today

Back

Dompurify CVE-2025-26791

Severity by source

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code