CVE-2026-49978
Published:June 15, 2026
Updated:June 18, 2026
If the HTML you give it contains a <template> element, and inside that template there's an element with a shadow DOM attached to it, DOMPurify quietly skips over the shadow contents. Whatever the attacker put in there - an image with an onerror handler, a link with a javascript: URL, even a full script - survives untouched. The moment the application uses that template the way templates are meant to be used (cloning it and inserting the result into the page), the malicious payload comes along and runs as if it had never been sanitized. From there an attacker gets everything XSS normally gets them: session cookies, stored tokens, the ability to act as the user, and the ability to leave persistent payloads behind for the next person who visits. "advisory.pdf" (https://github.com/user-attachments/files/28275600/advisory.pdf) "poc.html" (https://github.com/user-attachments/files/28275708/poc.html)
Affected Packages
https://github.com/cure53/DOMPurify.git (GITHUB):
Affected version(s) >=v0.3 <3.4.7Fix Suggestion:
Update to version 3.4.7dompurify (NPM):
Affected version(s) >=0.4.0 <3.4.7Fix Suggestion:
Update to version 3.4.7Related Resources (2)
Do you need more information?
Contact UsCVSS v4
Base Score:
5.1
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
ACTIVE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
LOW
Subsequent System Integrity
LOW
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.1
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')