CVE-2026-41239: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in cure53 DOMPurify
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Starting in version 1.0.10 and prior to version 3.4.0, `SAFE_FOR_TEMPLATES` strips `{{...}}` expressions from untrusted HTML. This works in string mode but not with `RETURN_DOM` or `RETURN_DOM_FRAGMENT`, allowing XSS via template-evaluating frameworks like Vue 2. Version 3.4.0 patches the issue.
AI Analysis
Technical Summary
DOMPurify is a sanitizer for HTML, MathML, and SVG to prevent XSS attacks. In versions >=1.0.10 and <3.4.0, the SAFE_FOR_TEMPLATES option intended to remove template expressions ({{...}}) from untrusted HTML works only in string output mode. When DOMPurify is used with RETURN_DOM or RETURN_DOM_FRAGMENT modes, these expressions are not stripped, enabling XSS attacks in frameworks that evaluate templates such as Vue 2. This vulnerability is addressed in DOMPurify version 3.4.0.
Potential Impact
Successful exploitation allows an attacker to inject malicious scripts via untrusted HTML that includes template expressions, leading to cross-site scripting attacks. This can result in the execution of arbitrary JavaScript in the context of the victim's browser, potentially compromising confidentiality and integrity of user data. The CVSS score is 6.8 (medium severity), reflecting network attack vector, high impact on confidentiality and integrity, but requiring user interaction and high attack complexity.
Mitigation Recommendations
Upgrade DOMPurify to version 3.4.0 or later, where this vulnerability is patched. There is no official fix or patch available for earlier versions. Until upgrading, avoid using RETURN_DOM or RETURN_DOM_FRAGMENT modes with SAFE_FOR_TEMPLATES enabled in untrusted contexts. Patch status is not explicitly stated beyond the version 3.4.0 fix; check the vendor's advisory for the latest remediation guidance.
CVE-2026-41239: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in cure53 DOMPurify
Description
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Starting in version 1.0.10 and prior to version 3.4.0, `SAFE_FOR_TEMPLATES` strips `{{...}}` expressions from untrusted HTML. This works in string mode but not with `RETURN_DOM` or `RETURN_DOM_FRAGMENT`, allowing XSS via template-evaluating frameworks like Vue 2. Version 3.4.0 patches the issue.
CVSS v3.1
Score 6.8medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
DOMPurify is a sanitizer for HTML, MathML, and SVG to prevent XSS attacks. In versions >=1.0.10 and <3.4.0, the SAFE_FOR_TEMPLATES option intended to remove template expressions ({{...}}) from untrusted HTML works only in string output mode. When DOMPurify is used with RETURN_DOM or RETURN_DOM_FRAGMENT modes, these expressions are not stripped, enabling XSS attacks in frameworks that evaluate templates such as Vue 2. This vulnerability is addressed in DOMPurify version 3.4.0.
Potential Impact
Successful exploitation allows an attacker to inject malicious scripts via untrusted HTML that includes template expressions, leading to cross-site scripting attacks. This can result in the execution of arbitrary JavaScript in the context of the victim's browser, potentially compromising confidentiality and integrity of user data. The CVSS score is 6.8 (medium severity), reflecting network attack vector, high impact on confidentiality and integrity, but requiring user interaction and high attack complexity.
Mitigation Recommendations
Upgrade DOMPurify to version 3.4.0 or later, where this vulnerability is patched. There is no official fix or patch available for earlier versions. Until upgrading, avoid using RETURN_DOM or RETURN_DOM_FRAGMENT modes with SAFE_FOR_TEMPLATES enabled in untrusted contexts. Patch status is not explicitly stated beyond the version 3.4.0 fix; check the vendor's advisory for the latest remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-18T03:47:03.135Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ea9e7b87115cfb686fc58b
Added to database: 4/23/2026, 10:34:35 PM
Last enriched: 5/1/2026, 8:40:18 PM
Last updated: 6/7/2026, 8:04:42 AM
Views: 46
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.