CVE-2026-49459 in DOMPurifyinfo

Summary

by MITRE • 07/15/2026

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Prior to 3.4.6, DOMPurify.sanitize(root, { IN_PLACE: true }) could preserve event-handler attributes on an attacker-controlled <form> root when a descendant name clobbered properties checked by _isClobbered, because _forceRemove no-opped on the parent-less root and _sanitizeAttributes returned early. This issue is fixed in version 3.4.6.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/15/2026

DOMPurify serves as a critical security library for sanitizing HTML content to prevent cross-site scripting attacks by removing potentially dangerous elements and attributes from user-provided input. The vulnerability described affects versions prior to 3.4.6 where a specific code path could allow malicious event handler attributes to persist in sanitized output when processing attacker-controlled DOM trees with the IN_PLACE flag enabled. This flaw specifically occurs during attribute sanitization when a descendant element name inadvertently clobbers properties that DOMPurify checks for during its internal validation process.

The technical mechanism behind this vulnerability involves the _isClobbered function which performs property checks on DOM elements to identify potentially dangerous attributes that could lead to script execution. When processing with IN_PLACE set to true, the sanitization routine attempts to modify the root element in place rather than creating a new document fragment. However, under certain conditions where an attacker controls the structure of the root element and its descendants, the _forceRemove function fails to properly remove event handler attributes on the parent-less root element. Additionally, the _sanitizeAttributes function returns early without completing its full validation routine, allowing malicious attributes to slip through the sanitization process.

This vulnerability creates a significant operational impact as it effectively bypasses DOMPurify's core security guarantees when used with the IN_PLACE option. An attacker could craft HTML content that, when processed by DOMPurify with these specific parameters, would retain dangerous event handlers such as onclick, onmouseover, or other JavaScript event attributes. The implications extend beyond simple XSS prevention since these preserved attributes could execute arbitrary JavaScript code in the context of the victim's browser session, potentially leading to account takeovers, data exfiltration, or other malicious activities.

The fix implemented in version 3.4.6 addresses this by ensuring proper handling of the _forceRemove function when processing parent-less root elements and by preventing early returns from _sanitizeAttributes that could skip crucial validation steps. This remediation aligns with security best practices outlined in CWE-79 for cross-site scripting prevention and follows ATT&CK techniques related to XSS exploitation through DOM manipulation. Organizations using DOMPurify should immediately upgrade to version 3.4.6 or later, particularly those employing the IN_PLACE sanitization option with user-controllable input sources. System administrators and security teams should conduct thorough code reviews to identify any applications that may be utilizing this vulnerable configuration and ensure proper patching across all affected environments.

This vulnerability demonstrates the complexity of DOM-based security implementations where seemingly minor edge cases in element property handling can create significant security holes. The issue highlights the importance of comprehensive testing for edge conditions in security libraries, particularly those dealing with in-place DOM manipulation and property clobbering scenarios. Security professionals should be aware that even well-established sanitization libraries may contain subtle flaws when specific combinations of parameters are used, emphasizing the need for continuous monitoring and timely patch management across all security dependencies in web applications.

Responsible

GitHub M

Reservation

05/30/2026

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!