CVE-2026-49978
DOMPurify IN_PLACE Sanitization Bypass via Attached Shadow Root Inside <template>.content
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Prior to 3.4.7, DOMPurify IN_PLACE sanitization could skip shadow contents attached to an element inside <template>.content, allowing attacker-controlled markup such as event handlers, JavaScript URLs, or scripts to survive and execute when an application cloned and inserted the sanitized template. This issue is fixed in version 3.4.7.
| CWE | CWE-79 |
| Vendor | cure53 |
| Product | dompurify |
| Published | Jul 14, 2026 |
Stay Ahead of the Next One
Get instant alerts for cure53 dompurify
Be the first to know when new unknown vulnerabilities affecting cure53 dompurify are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
cure53 / DOMPurify
< 3.4.6