Fluid Attacks Database

Description

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Starting in version 1.0.10 and prior to version 3.4.0, SAFE_FOR_TEMPLATES strips {{...}} expressions from untrusted HTML. This works in string mode but not with RETURN_DOM or RETURN_DOM_FRAGMENT, allowing XSS via template-evaluating frameworks like Vue 2. Version 3.4.0 patches the issue.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	dompurify	>=1.0.10 <3.4.0	3.4.0
debian 14	node-dompurify	=3.1.7+dfsg+~3.0.5-2 \|\| =3.2.5+dfsg-1 \|\| =3.3.2+dfsg-1 \|\| =3.3.3+dfsg-1 \|\| =3.3.3+dfsg-2 \|\| >=0 <3.4.1+dfsg-1	3.4.1+dfsg-1
debian 12	node-dompurify	=2.4.1+dfsg+~2.4.0-1 \|\| =2.4.1+dfsg+~2.4.0-2 \|\| =2.4.1+dfsg+~2.4.0-2+deb12u1 \|\| =3.0.9+dfsg+~3.0.5-1 \|\| =3.1.6+dfsg+~3.0.5-1 \|\| =3.1.7+dfsg+~3.0.5-1 \|\| =3.1.7+dfsg+~3.0.5-2 \|\| =3.2.5+dfsg-1 \|\| =3.3.2+dfsg-1 \|\| =3.3.3+dfsg-1 \|\| =3.3.3+dfsg-2 \|\| =3.4.1+dfsg-1	-
debian 13	node-dompurify	=3.1.7+dfsg+~3.0.5-2 \|\| =3.2.5+dfsg-1 \|\| =3.3.2+dfsg-1 \|\| =3.3.3+dfsg-1 \|\| =3.3.3+dfsg-2 \|\| =3.4.1+dfsg-1	-
rpm rhel10	grafana	-	-
rpm rhel8	grafana	-	-
rpm rhel9	grafana	-	-

Aliases

1. CVE-2026-412392. NVD-2026-412393. OSV-2026-412394. OSV-DEBIAN-2026-412395. GHSA-crv5-9vww-q3g86. GCVE-2026-412397. SECURITY-TRACKER-CVE-2026-41239

References

1. https://github.com/cure53/DOMPurify/security/advisories/GHSA-crv5-9vww-q3g82. https://github.com/cure53/DOMPurify/releases/tag/3.4.0

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.