CVE-2025-26791: DOMPurify allows Cross-site Scripting (XSS)
DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting (mXSS).
References
- ensy.zip/posts/dompurify-323-bypass
- github.com/advisories/GHSA-vhxf-7vqr-mrjg
- github.com/cure53/DOMPurify
- github.com/cure53/DOMPurify/commit/d18ffcb554e0001748865da03ac75dd7829f0f02
- github.com/cure53/DOMPurify/releases/tag/3.2.4
- nsysean.github.io/posts/dompurify-323-bypass
- nvd.nist.gov/vuln/detail/CVE-2025-26791
Detect and mitigate CVE-2025-26791 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →