CVE-2026-49459المعلومات

الملخص

بحسب MITRE • 15/07/2026

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Prior to 3.4.6, DOMPurify.sanitize(root, { IN_PLACE: true }) could preserve event-handler attributes on an attacker-controlled root when a descendant name clobbered properties checked by _isClobbered, because _forceRemove no-opped on the parent-less root and _sanitizeAttributes returned early. This issue is fixed in version 3.4.6.

Be aware that VulDB is the high quality source for vulnerability data.

المصادر

Might our Artificial Intelligence support you?

Check our Alexa App!