Bug 2461147 (CVE-2026-41240)

Summary: CVE-2026-41240 DOMPurify: DOMPurify: Cross-Site Scripting (XSS) via inconsistent tag sanitization
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, abarbaro, abrianik, akostadi, alcohan, alizardo, amasferr, amctagga, anjoseph, anpicker, aoconnor, bniver, bparees, caswilli, cdrage, chfoley, cmah, dhanak, dmayorov, drosa, dschmidt, eaguilar, ebaron, erezende, ewittman, fdeutsch, flucifre, ggrzybek, gmeno, gparvin, groman, hasun, ibek, janstey, jbalunas, jchui, jfula, jhe, jkoehler, jlanda, jlledo, jolong, jowilson, jprabhak, jraez, jrokos, jwong, kaycoth, kbempah, kshier, ktsao, lchilton, lphiri, manissin, mbarnett, mbenjamin, mhackett, mnovotny, nboldt, nipatil, nyancey, oaljalju, omaciel, ometelka, oramraz, pahickey, pantinor, parichar, pjindal, psrna, ptisnovs, rgodfrey, rhaigner, rhel-process-autobot, rkubis, rushinde, sausingh, sdawley, sfeifer, simaishi, smcdonal, smullick, solenoci, sostapov, stcannon, stirabos, swoodman, syedriko, tasato, teagle, thason, tsedmik, ttakamiy, vereddy, watson-tool-maintainers, wtam, xdharmai, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in DOMPurify, a DOM-only cross-site scripting sanitizer. A remote attacker could exploit an inconsistency in how forbidden tags and attributes are handled when function-based tag additions are used. This allows malicious HTML, MathML, or SVG elements to bypass sanitization and execute arbitrary code in the user's browser, leading to Cross-Site Scripting (XSS).
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2463430, 2463432, 2463429, 2463431    
Bug Blocks:    

Description OSIDB Bzimport 2026-04-23 16:05:05 UTC 
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions prior to 3.4.0 have an inconsistency between FORBID_TAGS and FORBID_ATTR handling when function-based ADD_TAGS is used. Commit c361baa added an early exit for FORBID_ATTR at line 1214. The same fix was not applied to FORBID_TAGS. At line 1118-1123, when EXTRA_ELEMENT_HANDLING.tagCheck returns true, the short-circuit evaluation skips the FORBID_TAGS check entirely. This allows forbidden elements to survive sanitization with their attributes intact. Version 3.4.0 patches the issue.