DOMPurify is a widely used client-side JavaScript library designed to sanitize HTML and prevent cross-site scripting (XSS) attacks by neutralizing malicious input during web page generation. CVE-2026-0540 identifies a vulnerability in DOMPurify versions 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, where the sanitization process fails to properly handle certain rawtext HTML elements—specifically noscript, xmp, noembed, noframes, and iframe—due to their absence in the SAFE_FOR_XML regular expression used for attribute sanitization. This omission allows attackers to craft payloads that break out of attribute contexts and inject executable JavaScript code. For example, an attacker can insert a payload like </noscript><img src=x onerror=alert(1)> inside an attribute value, which DOMPurify fails to sanitize correctly. When the sanitized output is subsequently rendered inside these rawtext elements, the malicious script executes in the victim’s browser. The vulnerability does not require any privileges or authentication but does require user interaction (e.g., visiting a maliciously crafted page). The CVSS 4.0 score of 5.1 reflects a medium severity, indicating moderate impact and ease of exploitation. The issue was fixed in a commit identified as 729097f, which updated the SAFE_FOR_XML regex to include the missing rawtext elements, thereby closing the sanitization gap. No known exploits have been reported in the wild to date, but the vulnerability poses a risk to any web application relying on affected DOMPurify versions for client-side sanitization, especially those embedding user-generated content within rawtext HTML elements.

The primary impact of CVE-2026-0540 is the potential for cross-site scripting attacks that can compromise the confidentiality and integrity of user data and the availability of web application functionality. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of the victim’s browser, which can lead to session hijacking, theft of sensitive information such as cookies or credentials, unauthorized actions on behalf of the user, defacement, or redirection to malicious sites. Since DOMPurify is commonly used in web applications to sanitize user input before rendering, any application embedding sanitized content inside the affected rawtext elements is vulnerable. This can affect a wide range of sectors including e-commerce, social media, content management systems, and enterprise web portals. The medium severity score reflects that while exploitation is straightforward and impactful, it requires user interaction and specific usage contexts, limiting the scope somewhat. However, the widespread adoption of DOMPurify means a large number of websites and applications globally could be exposed if they do not update promptly. The vulnerability also undermines trust in client-side sanitization mechanisms, potentially increasing the attack surface for phishing and other social engineering attacks.

To mitigate CVE-2026-0540, organizations should immediately upgrade DOMPurify to a version that includes the fix from commit 729097f or later, ensuring the SAFE_FOR_XML regex properly accounts for all rawtext elements including noscript, xmp, noembed, noframes, and iframe. Developers must audit their codebases to identify any instances where sanitized output is inserted inside rawtext HTML elements and refactor these to avoid such contexts or apply additional server-side sanitization. Implement Content Security Policy (CSP) headers with strict script-src directives to limit the execution of unauthorized scripts, providing an additional defense layer. Regularly review and test sanitization libraries for updates and vulnerabilities as part of the software development lifecycle. Educate developers on the risks of client-side sanitization and encourage defense-in-depth strategies combining client- and server-side protections. Finally, monitor web application logs and user reports for suspicious activity indicative of XSS exploitation attempts.