CVE-2026-49978
Summary
by MITRE • 07/15/2026
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Prior to 3.4.7, DOMPurify IN_PLACE sanitization could skip shadow contents attached to an element inside .content, allowing attacker-controlled markup such as event handlers, JavaScript URLs, or scripts to survive and execute when an application cloned and inserted the sanitized template. This issue is fixed in version 3.4.7.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/15/2026
DOMPurify serves as a critical security component in web applications by providing DOM-only sanitization for HTML, MathML, and SVG content to prevent cross-site scripting attacks. The vulnerability exists specifically within the IN_PLACE sanitization mode where the sanitizer processes elements that have shadow DOM contents attached to them. When an application uses this sanitization method on templates containing shadow DOM elements, the sanitizer fails to properly process the shadow content which can contain malicious markup such as event handlers, JavaScript URLs, or script tags that should normally be stripped during sanitization.
The technical flaw stems from how DOMPurify handles the cloning and insertion operations when processing elements with shadow DOM attachments. During IN_PLACE operations, the sanitizer clones template elements and attempts to insert sanitized content, but it does not adequately traverse or sanitize shadow root contents that are attached to elements within the .content property. This creates an attack vector where malicious code embedded in shadow DOM elements bypasses the sanitization process entirely, allowing attackers to inject harmful markup that executes when applications clone and insert these sanitized templates into the document.
The operational impact of this vulnerability is significant as it undermines the fundamental security assumptions of DOMPurify's sanitization mechanism. Applications that rely on IN_PLACE sanitization for template processing become vulnerable to persistent cross-site scripting attacks, where attacker-controlled content can be executed in the context of the user's session. This affects web applications that dynamically generate and sanitize templates containing shadow DOM elements, potentially allowing attackers to execute arbitrary JavaScript code, steal session tokens, or perform other malicious activities.
This vulnerability aligns with CWE-79 Cross-site Scripting and follows patterns seen in DOM-based XSS attacks where sanitization mechanisms fail to properly handle complex DOM structures. The issue also relates to ATT&CK technique T1059.007 for executed code within web applications, as the sanitized content containing malicious JavaScript URLs or event handlers can execute when inserted into the document. Organizations using DOMPurify in their security stack should immediately upgrade to version 3.4.7 or later where this specific issue has been addressed through improved shadow DOM content traversal and sanitization logic.
The fix implemented in version 3.4.7 ensures that when processing IN_PLACE sanitization, DOMPurify properly examines and sanitizes all shadow root contents attached to elements within the .content property. This enhancement prevents malicious markup from surviving the sanitization process and maintains the integrity of the security model that DOMPurify provides for protecting web applications against XSS attacks. Security teams should conduct thorough testing of their applications after upgrading to ensure that all template processing operations using IN_PLACE sanitization function correctly without introducing regressions in functionality while maintaining the enhanced security posture.