dompurify

16 known vulnerabilities · 0 critical · 1 high

GHSA-39q2-94rc-95cp

DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation

Published Apr 16, 2026

CVE-2026-0540

DOMPurify contains a Cross-site Scripting vulnerability

Published Mar 3, 2026

CVE-2019-16728MEDIUM

Cross-Site Scripting in dompurify

Published Aug 28, 2020

CVE-2020-26870MEDIUM

Cross-site Scripting in dompurify

Published Dec 18, 2020

CVE-2025-15599

DOMPurify contains a Cross-site Scripting vulnerability

Published Mar 3, 2026

CVE-2019-25155MEDIUM

DOMPurify Open Redirect vulnerability

Published Nov 14, 2023

GHSA-cj63-jhhr-wcxv

DOMPurify USE_PROFILES prototype pollution allows event handlers

Published Apr 3, 2026

CVE-2024-47875

DOMpurify has a nesting-based mXSS

Published Oct 11, 2024

CVE-2024-45801HIGH

DOMPurify allows tampering by prototype pollution

Published Sep 16, 2024

GHSA-cjmm-f4jc-qw8r

DOMPurify ADD_ATTR predicate skips URI validation

Published Apr 3, 2026

GHSA-h8r8-wccr-v5f2

DOMPurify is vulnerable to mutation-XSS via Re-Contextualization

Published Mar 27, 2026

CVE-2025-26791

DOMPurify allows Cross-site Scripting (XSS)

Published Feb 14, 2025

GHSA-crv5-9vww-q3g8

DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode

Published Apr 22, 2026

GHSA-h7mw-gpvr-xq4m

DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)

Published Apr 22, 2026

GHSA-v9jr-rg53-9pgp

DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback

Published Apr 22, 2026

MAL-2024-9052

Malicious code in express-dompurify (npm)

Published Oct 1, 2024

Check your entire dependency tree at onceRun dependency scan →