SB20260325102 - Multiple vulnerabilities in DOMPurify

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Cross-site scripting (CVE-ID: CVE-2026-3126)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

2) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CVE-ID: N/A)

The vulnerability allows a remote attacker to execute arbitrary script in the browser.

The vulnerability exists due to improper input validation in URI validation for ADD_ATTR predicate handling when sanitizing input with a predicate-based attribute allowlist. A remote attacker can supply crafted HTML containing a javascript: URL to execute arbitrary script in the browser.

User interaction is required to activate the malicious link.

3) Prototype pollution (CVE-ID: N/A)

The vulnerability allows a remote attacker to execute arbitrary script code in the victim's browser.

The vulnerability exists due to prototype pollution in the USE_PROFILES attribute allowlist handling in DOMPurify when sanitizing markup with USE_PROFILES enabled in a runtime affected by Array.prototype pollution. A remote attacker can set a polluted Array.prototype property such as onclick or rely on an already polluted runtime to cause dangerous event handler attributes to be preserved and execute when rendered.

The issue affects cases where sanitized output is later added to the DOM.

Remediation

Install update from vendor's website.

References

• https://github.com/cure53/DOMPurify/security/advisories/GHSA-h8r8-wccr-v5f2
• https://github.com/cure53/DOMPurify/security/advisories/GHSA-cjmm-f4jc-qw8r
• https://github.com/advisories/GHSA-cjmm-f4jc-qw8r
• https://github.com/cure53/DOMPurify/security/advisories/GHSA-cj63-jhhr-wcxv