{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-26T05:59:29.112","vulnerabilities":[{"cve":{"id":"CVE-2026-0540","sourceIdentifier":"help@fluidattacks.com","published":"2026-03-03T18:16:24.457","lastModified":"2026-06-17T10:10:54.790","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex. Attackers can include payloads like </noscript><img src=x onerror=alert(1)> in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts."},{"lang":"es","value":"DOMPurify 3.1.3 a 3.3.1 y 2.5.3 a 2.5.8, corregido en la confirmación 729097f, contienen una vulnerabilidad de secuencias de comandos entre sitios que permite a los atacantes eludir la desinfección de atributos aprovechando cinco elementos de texto sin formato que faltan (noscript, xmp, noembed, noframes, iframe) en la expresión regular SAFE_FOR_XML. Los atacantes pueden incluir cargas útiles como  en los valores de los atributos para ejecutar JavaScript cuando la salida saneada se coloca dentro de estos contextos de texto sin formato desprotegidos."}],"affected":[{"source":"help@fluidattacks.com","affectedData":[{"vendor":"cure53","product":"DOMPurify","defaultStatus":"unaffected","versions":[{"version":"3.1.3","lessThanOrEqual":"3.3.1","versionType":"semver","status":"affected"},{"version":"2.5.3","lessThanOrEqual":"2.5.8","versionType":"semver","status":"affected"}]}]}],"metrics":{"cvssMetricV40":[{"source":"help@fluidattacks.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"PASSIVE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"LOW","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"help@fluidattacks.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","baseScore":6.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":2.7}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-03-03T19:01:28.294008Z","id":"CVE-2026-0540","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"help@fluidattacks.com","type":"Secondary","description":[{"lang":"en","value":"CWE-79"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:cure53:dompurify:*:*:*:*:*:*:*:*","versionStartIncluding":"2.5.3","versionEndIncluding":"2.5.8","matchCriteriaId":"C22E0FEE-2372-417A-844F-551C74F3E0AE"},{"vulnerable":true,"criteria":"cpe:2.3:a:cure53:dompurify:*:*:*:*:*:*:*:*","versionStartIncluding":"3.1.3","versionEndIncluding":"3.3.1","matchCriteriaId":"A8A0F3E6-D011-485E-941C-D0C68AB314D5"}]}]}],"references":[{"url":"https://fluidattacks.com/advisories/daft","source":"help@fluidattacks.com"},{"url":"https://github.com/cure53/DOMPurify","source":"help@fluidattacks.com","tags":["Product"]},{"url":"https://github.com/cure53/DOMPurify/commit/302b51de22535cc90235472c52e3401bedd46f80","source":"help@fluidattacks.com"},{"url":"https://github.com/cure53/DOMPurify/releases/tag/3.3.2","source":"help@fluidattacks.com"},{"url":"https://www.vulncheck.com/advisories/dompurify-xss-via-missing-rawtext-elements-in-safe-for-xml","source":"help@fluidattacks.com","tags":["Third Party Advisory"]}]}}]}