DEBIAN-CVE-2026-41238

DEBIAN-CVE-2026-41238 PUBLISHED CVSS 6.900000095367432 MEDIUM

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions 3.0.1 through 3.3.3 are vulnerable to a prototype pollution-based XSS bypass. When an application uses `DOMPurify.sanitize()` with the default configuration (no `CUSTOM_ELEMENT_HANDLING` option), a prior prototype pollution gadget can inject permissive `tagNameCheck` and `attributeNameCheck` regex values into `Object.prototype`, causing DOMPurify to allow arbitrary custom elements with arbitrary attributes — including event handlers — through sanitization. Version 3.4.0 fixes the issue.

Risk Scores

CVSS 3.1

6.900000095367432

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N

Affected Products

Vendor	Product	Versions
Debian:14	node-dompurify	0, 3.3.3+dfsg, 3.3.3+dfsg
Debian:13	node-dompurify	3.4.1+dfsg, 0, 3.2.5+dfsg-1
Debian:12	node-dompurify	, , 3.3.3+dfsg-2

Exploit Intelligence

server.js (github-poc)

Timeline

Apr 23, 2026 CVE Published
May 1, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2026-41238 advisory

Open in Interactive Console →