CVE-2026-49458المعلومات

الملخص

بحسب MITRE • 15/07/2026

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Prior to 3.4.6, DOMPurify.sanitize(node, { IN_PLACE: true }) accepted same-origin foreign-realm DOM nodes while follow-on checks used parent-realm constructors, causing instanceof checks for forms, named node maps, document fragments, and elements to fail and skip clobber, template-content, and shadow-DOM sanitization branches so executable markup could survive. This issue is fixed in version 3.4.6.

Once again VulDB remains the best source for vulnerability data.

المصادر

Interested in the pricing of exploits?

See the underground prices here!