Bug 2444135 (CVE-2026-0540) - CVE-2026-0540 DOMPurify: DOMPurify: Cross-site scripting vulnerability
Summary: CVE-2026-0540 DOMPurify: DOMPurify: Cross-site scripting vulnerability
Keywords:
Status: NEW
Alias: CVE-2026-0540
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2444261 2444263 2444265 2444267 2444273 2444275 2444277 2444279 2444281 2444283 2444288 2444269 2444271 2444285 2444287
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-03-03 18:01 UTC by OSIDB Bzimport
Modified: 2026-03-03 23:20 UTC (History)
59 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-03-03 18:01:25 UTC 
DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 729097f, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex. Attackers can include payloads like </noscript><img src=x onerror=alert(1)> in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.
Note You need to log in before you can comment on or make changes to this bug.