CVE-2025-26791

medium

Description

DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting (mXSS).

References

https://nsysean.github.io/posts/dompurify-323-bypass/

https://github.com/cure53/DOMPurify/releases/tag/3.2.4

https://github.com/cure53/DOMPurify/commit/d18ffcb554e0001748865da03ac75dd7829f0f02

https://ensy.zip/posts/dompurify-323-bypass/

Details

Source: Mitre, NVD

Published: 2025-02-14

Updated: 2025-02-14

Risk Information

CVSS v2

Base Score: 2.6

Vector: CVSS2#AV:L/AC:H/Au:N/C:P/I:P/A:N

Severity: Low

CVSS v3

Base Score: 4.5

Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

Severity: Medium

EPSS

EPSS: 0.00074