cure53 dompurify CVE 漏洞(11)

CVE 數: 11 CPE versions: View versions table

摘要

本頁列出影響 cure53 dompurify 的已公開 CVE 漏洞(透過 NVD CPE 關聯)。每列包含嚴重程度評分、摘要與發布日期,便於識別與分析安全議題。

顯示 11111 CVE 數
«« 第一頁 « 上一頁 第 1 / 1 頁 下一頁 »
CVE 摘要 來源 最高 CVSS EPSS % 公開時間 更新時間
CVE-2026-41240 DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions prior to 3.4.0 have an inconsistency between FORBID_TAGS and FORBID_ATTR handling when function-based ADD_TAGS is used. Commit c361baa added an early exit for FORBID_ATTR at line 1214. The same fix was not applied to FORBID_TAGS. At line 1118-1123, when EXTRA_ELEMENT_HANDLING.tagCheck returns true, the short-circuit evaluation skips the FORBID_TAGS check entirely. This allows forbidden elements to survive [email protected] 6.0 0.26% 2026-04-23 2026-06-17
CVE-2026-0540 DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex. Attackers can include payloads like </noscript><img src=x onerror=alert(1)> in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts. [email protected] 5.3 0.28% 2026-03-03 2026-06-17
CVE-2025-15599 DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. Attackers can include closing rawtext tags like </textarea> in attribute values to break out of rawtext contexts and execute JavaScript when sanitized output is placed inside rawtext elements. The 3.x branch was fixed in 3.2.7; the 2.x branch was never patched. [email protected] 5.1 0.24% 2026-03-03 2026-06-17
CVE-2025-48050 In DOMPurify through 3.2.5 before 6bc6d60, scripts/server.js does not ensure that a pathname is located under the current working directory. NOTE: the Supplier disputes the significance of this report because the "Uncontrolled data used in path expression" occurs "in a development helper script which starts a local web server if needed and must be manually started." [email protected] 7.5 0.39% 2025-05-15 2026-06-17
CVE-2025-26791 DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting (mXSS). [email protected] 4.5 0.56% 2025-02-14 2026-06-17
CVE-2024-48910 DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify was vulnerable to prototype pollution. This vulnerability is fixed in 2.4.2. [email protected] 9.1 1.18% 2024-10-31 2026-06-17
CVE-2024-47875 DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to nesting-based mXSS. This vulnerability is fixed in 2.5.0 and 3.1.3. [email protected] 10.0 1.09% 2024-10-11 2026-06-17
CVE-2024-45801 DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check. This renders dompurify unable to avoid cross site scripting (XSS) attacks. This issue has been addressed in versions 2.5.4 and 3.1.3 of DOMPurify. All users are advised to upgrade. There ar [email protected] 7.3 0.84% 2024-09-16 2026-06-17
CVE-2019-25155 DOMPurify before 1.0.11 allows reverse tabnabbing in demos/hooks-target-blank-demo.html because links lack a 'rel="noopener noreferrer"' attribute. [email protected] 6.1 0.46% 2023-11-06 2026-06-16
CVE-2020-26870 Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements. [email protected] 6.1 4.88% 2020-10-07 2026-06-16
CVE-2019-16728 DOMPurify before 2.0.1 allows XSS because of innerHTML mutation XSS (mXSS) for an SVG element or a MATH element, as demonstrated by Chrome and Safari. [email protected] 6.1 1.67% 2019-09-24 2026-06-16
«« 第一頁 « 上一頁 第 1 / 1 頁 下一頁 »
cvelogic Threat Intelligence