Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
DOMPurify Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2026-0540 - Vulnerability Database
DOMPurify

DOMPurify Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2026-0540

Medium
Reference: CVE-2026-0540
NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2026-0540
Title: DOMPurify Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability
Overview:

DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8 fixed in commit 729097f contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript xmp noembed noframes iframe) in the SAFE_FOR_XML regex. Attackers can include payloads like lt/noscriptgtltimg srcx onerroralert(1)gt in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.