CVE-2025-26791

low-risk
Published 2025-02-14

DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting (mXSS).

Do I need to act?

-
0.10% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.5/10 Medium
LOCAL / HIGH complexity

Affected Products (1)

Dompurify

Affected Vendors

Cure53

References (5)

Exploit https://ensy.zip/posts/dompurify-323-bypass/
Patch https://github.com/cure53/DOMPurify/commit/d18ffcb554e0001748865da03ac75dd7829f0...
Release Notes https://github.com/cure53/DOMPurify/releases/tag/3.2.4
Exploit https://nsysean.github.io/posts/dompurify-323-bypass/
Exploit https://ensy.zip/posts/dompurify-323-bypass/
17
/ 100
low-risk
Severity 12/34 · Low
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal