XSS in Cure53 Dompurify

CVE-2026-49978

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Prior to 3.4.7, DOMPurify IN_PLACE sanitization could skip shadow contents attached to an element inside <template>.content, allowing attacker-controlled mar…

Vulnerability class: XSS (Cross-Site Scripting)

Affected products

Weakness classification (CWE)

References