CVE-2026-41238: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in cure53 DOMPurify
DOMPurify versions 3. 0. 1 through 3. 3. 3 are vulnerable to a prototype pollution-based cross-site scripting (XSS) bypass. This occurs when an attacker manipulates Object. prototype to inject permissive regex values that cause DOMPurify to allow arbitrary custom elements and attributes, including event handlers, through sanitization. The vulnerability is fixed in version 3. 4. 0.
AI Analysis
Technical Summary
DOMPurify is a sanitizer designed to prevent XSS by cleaning HTML, MathML, and SVG input. Versions from 3.0.1 up to but not including 3.4.0 are susceptible to a prototype pollution vulnerability that enables an attacker to bypass sanitization. Specifically, if an application uses DOMPurify.sanitize() with default settings (no CUSTOM_ELEMENT_HANDLING), a prior prototype pollution can inject permissive regular expressions into Object.prototype's tagNameCheck and attributeNameCheck properties. This manipulation causes DOMPurify to permit arbitrary custom elements and attributes, including event handlers, which can lead to XSS. The issue is resolved in version 3.4.0.
Potential Impact
Successful exploitation allows an attacker to bypass DOMPurify's sanitization, enabling injection of arbitrary custom elements and attributes with event handlers. This can lead to cross-site scripting attacks that compromise confidentiality and integrity of web applications using vulnerable versions. The CVSS vector indicates network attack complexity is high, user interaction is required, and the impact on confidentiality is high while integrity impact is low and availability is unaffected.
Mitigation Recommendations
Upgrade DOMPurify to version 3.4.0 or later, where this vulnerability is fixed. There is no official patch or temporary fix for earlier versions. Applications using affected versions should update promptly to prevent exploitation.
CVE-2026-41238: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in cure53 DOMPurify
Description
DOMPurify versions 3. 0. 1 through 3. 3. 3 are vulnerable to a prototype pollution-based cross-site scripting (XSS) bypass. This occurs when an attacker manipulates Object. prototype to inject permissive regex values that cause DOMPurify to allow arbitrary custom elements and attributes, including event handlers, through sanitization. The vulnerability is fixed in version 3. 4. 0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
DOMPurify is a sanitizer designed to prevent XSS by cleaning HTML, MathML, and SVG input. Versions from 3.0.1 up to but not including 3.4.0 are susceptible to a prototype pollution vulnerability that enables an attacker to bypass sanitization. Specifically, if an application uses DOMPurify.sanitize() with default settings (no CUSTOM_ELEMENT_HANDLING), a prior prototype pollution can inject permissive regular expressions into Object.prototype's tagNameCheck and attributeNameCheck properties. This manipulation causes DOMPurify to permit arbitrary custom elements and attributes, including event handlers, which can lead to XSS. The issue is resolved in version 3.4.0.
Potential Impact
Successful exploitation allows an attacker to bypass DOMPurify's sanitization, enabling injection of arbitrary custom elements and attributes with event handlers. This can lead to cross-site scripting attacks that compromise confidentiality and integrity of web applications using vulnerable versions. The CVSS vector indicates network attack complexity is high, user interaction is required, and the impact on confidentiality is high while integrity impact is low and availability is unaffected.
Mitigation Recommendations
Upgrade DOMPurify to version 3.4.0 or later, where this vulnerability is fixed. There is no official patch or temporary fix for earlier versions. Applications using affected versions should update promptly to prevent exploitation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-18T03:47:03.135Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ea9e7887115cfb686fc413
Added to database: 4/23/2026, 10:34:32 PM
Last enriched: 4/23/2026, 10:35:44 PM
Last updated: 4/24/2026, 6:04:59 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.