DOMPurify is a widely used client-side library designed to sanitize HTML and prevent cross-site scripting (XSS) attacks by neutralizing malicious input during web page generation. CVE-2026-0540 identifies a vulnerability in DOMPurify versions 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, where the sanitization process fails to properly handle certain rawtext HTML elements—specifically noscript, xmp, noembed, noframes, and iframe—due to their absence in the SAFE_FOR_XML regular expression. This omission allows attackers to inject crafted payloads that break out of attribute contexts and execute arbitrary JavaScript code when the sanitized content is rendered in a browser. For example, an attacker can embed a payload like </noscript><img src=x onerror=alert(1)> within attribute values, which bypasses the sanitization and triggers script execution. This vulnerability undermines the core purpose of DOMPurify, potentially enabling XSS attacks that can steal cookies, hijack sessions, or perform other malicious actions. The vulnerability does not require authentication or privileges and can be exploited remotely by tricking users into viewing manipulated content. The issue was fixed in commit 729097f, which updated the SAFE_FOR_XML regex to include the missing rawtext elements, restoring proper sanitization. No public exploits have been reported yet, but the widespread use of DOMPurify in web applications makes timely patching critical.

The primary impact of CVE-2026-0540 is the potential for cross-site scripting attacks in web applications that rely on vulnerable versions of DOMPurify for sanitizing user-generated or external HTML content. Successful exploitation can lead to arbitrary JavaScript execution in the context of the victim's browser, enabling attackers to steal sensitive information such as authentication tokens, cookies, or personal data. It can also facilitate session hijacking, defacement, or redirect users to malicious sites. Because DOMPurify is commonly integrated into numerous web frameworks and applications worldwide, the vulnerability poses a broad risk to organizations that handle user input or display dynamic content. The medium CVSS score reflects moderate ease of exploitation combined with significant confidentiality and integrity impacts, though availability is less affected. The lack of required privileges and user interaction beyond viewing the malicious content increases the attack surface. Organizations with high-value web assets, especially those serving sensitive or regulated data, face elevated risks of reputational damage, compliance violations, and financial loss if exploited.

Organizations should immediately upgrade DOMPurify to a patched version that includes the fix from commit 729097f or later (versions beyond 3.3.1 or 2.5.8). If upgrading is not immediately feasible, applying custom patches to the SAFE_FOR_XML regex to include the missing rawtext elements (noscript, xmp, noembed, noframes, iframe) can serve as a temporary mitigation. Additionally, web developers should implement defense-in-depth by employing Content Security Policy (CSP) headers to restrict script execution and reduce the impact of potential XSS attacks. Input validation and output encoding should be reinforced on the server side, especially for any user-generated content that is rendered in browsers. Regular security testing, including automated scanning for XSS vulnerabilities and manual code reviews of sanitization logic, is recommended. Monitoring web application logs for unusual script execution or injection attempts can help detect exploitation attempts early. Finally, educating developers about the limitations of client-side sanitization and encouraging the use of multiple layers of security controls will improve overall resilience.