CVE-2026-49459 in DOMPurifythông tin

Tóm tắt

Bởi MITRE • 15/07/2026

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Prior to 3.4.6, DOMPurify.sanitize(root, { IN_PLACE: true }) could preserve event-handler attributes on an attacker-controlled <form> root when a descendant name clobbered properties checked by _isClobbered, because _forceRemove no-opped on the parent-less root and _sanitizeAttributes returned early. This issue is fixed in version 3.4.6.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

chịu trách nhiệm

GitHub M

Đặt trước

30/05/2026

Tiết lộ

15/07/2026

Kiểm duyệt

được chấp nhận

EPSS

0.00000

KEV

không

Các hoạt động

thấp

Nguồn

Want to know what is going to be exploited?

We predict KEV entries!