← back
CVE-2025-26791

CVE-2025-26791

CVSS 4.5 MEDIUMEPSS 0.6%CWE-79
DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting (mXSS).
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
Affected products
Cure53 · DOMPurify

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://ensy.zip/posts/dompurify-323-bypass/https://github.com/cure53/DOMPurify/commit/d18ffcb554e0001748865da03ac75dd7829f0f02https://github.com/cure53/DOMPurify/releases/tag/3.2.4https://nsysean.github.io/posts/dompurify-323-bypass/