XSS in Cure53 Dompurify
CVE-2026-49978
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Prior to 3.4.7, DOMPurify IN_PLACE sanitization could skip shadow contents attached to an element inside <template>.content, allowing attacker-controlled mar…
Vulnerability class: XSS (Cross-Site Scripting)
Affected products
- Cure53 Dompurify — versions < 3.4.6
Weakness classification (CWE)
References
- security-advisories@github.com (x_refsource_CONFIRM)
- security-advisories@github.com (x_refsource_MISC)
- security-advisories@github.com (x_refsource_MISC)