CVE-2025-26791 Information

Description

DOMPurify before 3.2.4 has an incorrect template literal regular expression sometimes leading to mutation cross-site scripting (mXSS).

Reference

https://ensy.zip/posts/dompurify-323-bypass/ https://ensy.zip/posts/dompurify-323-bypass/ https://github.com/cure53/DOMPurify/commit/d18ffcb554e0001748865da03ac75dd7829f0f02 https://github.com/cure53/DOMPurify/releases/tag/3.2.4 https://nsysean.github.io/posts/dompurify-323-bypass/