VDB

CVE-2025-15599

CVE-2025-15599 PUBLISHED CVSS 5.099999904632568 MEDIUM

DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. Attackers can include closing rawtext tags like </textarea> in attribute values to break out of rawtext contexts and execute JavaScript when sanitized output is placed inside rawtext elements. The 3.x branch was fixed in 3.2.7; the 2.x branch was never patched.

EPSS 0.04% · 12.0th percentile

Risk Scores

CVSS v4.0
5.099999904632568
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
EPSS Score
0.04%
12.0th percentile

Affected Products

VendorProductVersions
cure53dompurify2.5.3, 3.1.3, 2.5.3
npmdompurify2.5.3, 3.1.3, 2.5.3
cure53DOMPurify2.5.3, 2.5.3, 3.2.7

Timeline

  • Mar 3, 2026 CVE Published
  • Mar 3, 2026 PoC Published
  • Mar 4, 2026 CVE Updated
  • Mar 4, 2026 EPSS Score
  • Mar 5, 2026 EPSS Score
  • Mar 6, 2026 EPSS Score
  • Mar 8, 2026 EPSS Score
  • Mar 9, 2026 EPSS Score
  • Mar 9, 2026 Security Advisory
  • Mar 10, 2026 EPSS Score
  • Mar 11, 2026 EPSS Score
  • Mar 13, 2026 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›