CVE-2026-49458 in DOMPurifyinfo

Summary

by MITRE • 07/15/2026

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Prior to 3.4.6, DOMPurify.sanitize(node, { IN_PLACE: true }) accepted same-origin foreign-realm DOM nodes while follow-on checks used parent-realm constructors, causing instanceof checks for forms, named node maps, document fragments, and elements to fail and skip clobber, template-content, and shadow-DOM sanitization branches so executable markup could survive. This issue is fixed in version 3.4.6.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/15/2026

DOMPurify serves as a critical security component in web applications by sanitizing HTML content to prevent cross-site scripting attacks through DOM-based validation mechanisms. The vulnerability exists specifically within the IN_PLACE sanitization mode where the library accepts foreign-realm DOM nodes from same-origin sources while subsequent validation processes utilize parent-realm constructors for type checking. This mismatch creates a fundamental inconsistency in the sanitization process that allows certain executable markup to bypass security controls.

The technical flaw stems from inconsistent constructor references during instanceof checks, particularly affecting forms, named node maps, document fragments, and element objects within the DOM hierarchy. When DOMPurify processes nodes with IN_PLACE enabled, it fails to properly validate these foreign-realm objects against their expected parent-realm constructors, resulting in skipped sanitization branches for critical security measures including clobber protection, template-content sanitization, and shadow-DOM handling. This architectural inconsistency creates a pathway for malicious code execution by allowing potentially dangerous markup to remain unfiltered.

The operational impact of this vulnerability extends beyond simple XSS protection failures, as it represents a fundamental breakdown in the library's security model where trusted same-origin nodes can bypass critical sanitization checks. Attackers could exploit this weakness by injecting specially crafted DOM nodes that leverage the constructor mismatch to avoid detection mechanisms designed to prevent execution of malicious script content. The vulnerability effectively undermines the core purpose of DOMPurify by allowing dangerous markup to persist through the sanitization process, potentially enabling various attack vectors including DOM-based XSS, code injection, and privilege escalation within the browser context.

This security gap aligns with CWE-79 (Cross-site Scripting) and CWE-116 (Improper Encoding or Escaping of Output) categories while demonstrating characteristics consistent with ATT&CK technique T1203 (Exploitation for Client Execution) and T1555 (Credentials from Password Stores). The vulnerability represents a failure in proper object validation and constructor consistency within the DOM sanitization pipeline, creating a security boundary that allows malicious content to traverse without proper filtering. Organizations relying on DOMPurify for HTML sanitization should immediately upgrade to version 3.4.6 or later to remediate this critical flaw, as the vulnerability enables bypass of essential security controls designed to prevent script execution within web applications. The fix addresses the constructor validation mismatch by ensuring consistent realm checking across all sanitization branches, thereby restoring proper protection against DOM-based cross-site scripting attacks and maintaining the integrity of the library's security guarantees.

Responsible

GitHub M

Reservation

05/30/2026

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!