CVE-2026-41238

MEDIUM 6.9

DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback

CVSS Score

6.9

EPSS Score

0.0%

EPSS Percentile

0th

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions 3.0.1 through 3.3.3 are vulnerable to a prototype pollution-based XSS bypass. When an application uses `DOMPurify.sanitize()` with the default configuration (no `CUSTOM_ELEMENT_HANDLING` option), a prior prototype pollution gadget can inject permissive `tagNameCheck` and `attributeNameCheck` regex values into `Object.prototype`, causing DOMPurify to allow arbitrary custom elements with arbitrary attributes — including event handlers — through sanitization. Version 3.4.0 fixes the issue.

CWE	CWE-79 CWE-1321
Vendor	cure53
Product	dompurify
Published	Apr 23, 2026
Last Updated	Apr 23, 2026

Stay Ahead of the Next One

Get instant alerts for cure53 dompurify

Be the first to know when new medium vulnerabilities affecting cure53 dompurify are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

None

Affected Versions

cure53 / DOMPurify

>= 3.0.1, < 3.4.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/cure53/DOMPurify/security/advisories/GHSA-v9jr-rg53-9pgp github.com: https://github.com/cure53/DOMPurify/releases/tag/3.4.0