WS-2024-0017
Published:May 15, 2026
Updated:May 15, 2026
Insufficient checks in DOMPurify allows an attacker to bypass sanitizers and execute arbitrary JavaScript code. This issue affects versions before 2.5.8 and 3.x before 3.2.3.
Affected Packages
dompurify (CDN_JS):
Affected version(s) >=0.7.0 <2.5.8Fix Suggestion:
Update to version 2.5.8dompurify (CDN_JS):
Affected version(s) >=3.0.0 <3.2.3Fix Suggestion:
Update to version 3.2.3auspice (CONDA):
Affected version(s) >=2.23.0 <=2.50.0Fix Suggestion:
Update to version no_fixdompurify (NPM):
Affected version(s) >=3.0.0 <3.2.3Fix Suggestion:
Update to version 3.2.3dompurify (NPM):
Affected version(s) >=0.4.0 <2.5.8Fix Suggestion:
Update to version 2.5.8datepickeroffsettime (NUGET):
Affected version(s) =1.0.3 <1.0.4Fix Suggestion:
Update to version 1.0.4nfdi4plants.fornax.template (NUGET):
Affected version(s) >=0.13.0 <=1.1.0Fix Suggestion:
Update to version no_fixmarkdown2pdf.console (NUGET):
Affected version(s) >=2.0.1 <=2.0.2Fix Suggestion:
Update to version no_fixjxlwqq/simditor (PHP):
Affected version(s) >=1.0.1 <=1.0.4Fix Suggestion:
Update to version no_fixnukeviet/nukeviet (PHP):
Affected version(s) >=dev-nukeviet4.6-future <dev-nukeviet5Fix Suggestion:
Update to version dev-nukeviet5freepik-labs/dom-purify (PHP):
Affected version(s) >=dev-dependabot/npm_and_yarn/dompurify-2.3.2 <dev-dependabot/npm_and_yarn/dompurify-2.3.4Fix Suggestion:
Update to version dev-dependabot/npm_and_yarn/dompurify-2.3.4centreon/centreon (PHP):
Affected version(s) =dev-MON-15375-fix-xss-security-vulnerabilities-in-ajaxldapsearch.js <dev-MON-15376-fix-xss-security-vulnerabilities-in-color_picker.phpFix Suggestion:
Update to version dev-MON-15376-fix-xss-security-vulnerabilities-in-color_picker.phpnukeviet/nukeviet (PHP):
Affected version(s) =dev-nukeviet5.0-futureFix Suggestion:
Update to version no_fixfreepik-labs/dom-purify (PHP):
Affected version(s) =dev-dependabot/npm_and_yarn/jsdom-18.0.0 <dev-dependabot/npm_and_yarn/jsdom-18.0.1Fix Suggestion:
Update to version dev-dependabot/npm_and_yarn/jsdom-18.0.1nilsteampassnet/teampass (PHP):
Affected version(s) =dev-dependabot/github_actions/docker/login-action-3 <dev-teampass_3.0Fix Suggestion:
Update to version dev-teampass_3.0heycommunity/heycommunity-backend (PHP):
Affected version(s) >=v0.1.3 <dev-analysis-2221eBFix Suggestion:
Update to version dev-analysis-2221eBhipdevteam/wpforms (PHP):
Affected version(s) >=1.6.0.2 <1.6.3Fix Suggestion:
Update to version 1.6.3depage/htmlform (PHP):
Affected version(s) >=dev-master <1.4.0Fix Suggestion:
Update to version 1.4.0tikiwiki/diagram (PHP):
Affected version(s) >=v24.2.0 <v24.4.0Fix Suggestion:
Update to version v24.4.0bravedave/dvc (PHP):
Affected version(s) >=v23.12.01 <=v24.01.01Fix Suggestion:
Update to version no_fixfreepik-labs/dom-purify (PHP):
Affected version(s) >=dev-dependabot/npm_and_yarn/jsdom-16.5.3 <dev-dependabot/npm_and_yarn/jsdom-16.7.0Fix Suggestion:
Update to version dev-dependabot/npm_and_yarn/jsdom-16.7.0moonshine/moonshine (PHP):
Affected version(s) =dev-3.x-collapse-menu <3.0.1Fix Suggestion:
Update to version 3.0.1nilsteampassnet/teampass (PHP):
Affected version(s) >=dev-anti_bruteforce <dev-developmentFix Suggestion:
Update to version dev-developmentphpffcms/ffcms-assets (PHP):
Affected version(s) >=1.3.2 <=1.3.3Fix Suggestion:
Update to version no_fixshiguangxiaotou3/myweb (PHP):
Affected version(s) =dev-masterFix Suggestion:
Update to version no_fixzaoub/zaoub (PHP):
Affected version(s) =dev-master <0.1Fix Suggestion:
Update to version 0.1levmyshkin/dom_purify (PHP):
Affected version(s) >=dev-main <=2.4.1Fix Suggestion:
Update to version no_fixadesso-mobile/php-confluence-client (PHP):
Affected version(s) =dev-master <0.1.0Fix Suggestion:
Update to version 0.1.0heycommunity/heycommunity-backend (PHP):
Affected version(s) >=dev-develop <dev-devs/composer-scriptFix Suggestion:
Update to version dev-devs/composer-scriptfreepik-labs/dom-purify (PHP):
Affected version(s) =dev-dependabot/npm_and_yarn/ws-7.4.6 <dev-dependabot/npm_and_yarn/ws-7.5.3Fix Suggestion:
Update to version dev-dependabot/npm_and_yarn/ws-7.5.3moonshine/moonshine (PHP):
Affected version(s) >=2.14.0 <3.0.0-beta.2Fix Suggestion:
Update to version 3.0.0-beta.2freepik-labs/dom-purify (PHP):
Affected version(s) >=dev-master <0.2.4Fix Suggestion:
Update to version 0.2.4moonshine/moonshine (PHP):
Affected version(s) =dev-di-concept <dev-disable-outside-has-manyFix Suggestion:
Update to version dev-disable-outside-has-manymoonshine/ui (PHP):
Affected version(s) >=3.0.0-alpha <3.0.0-beta.2Fix Suggestion:
Update to version 3.0.0-beta.2maxiao64/simditor (PHP):
Affected version(s) >=dev-master <=1.0.3Fix Suggestion:
Update to version no_fixptadmin/admin (PHP):
Affected version(s) >=dev-main <v0.0.2Fix Suggestion:
Update to version v0.0.2freepik-labs/dom-purify (PHP):
Affected version(s) =dev-dependabot/npm_and_yarn/dompurify-2.3.5 <dev-dependabot/npm_and_yarn/dompurify-2.3.6Fix Suggestion:
Update to version dev-dependabot/npm_and_yarn/dompurify-2.3.6zaoub/zaoub (PHP):
Affected version(s) =dev-dependabot/npm_and_yarn/dot-prop-4.2.1 <dev-dependabot/npm_and_yarn/lodash-4.17.19Fix Suggestion:
Update to version dev-dependabot/npm_and_yarn/lodash-4.17.19freepik-labs/dom-purify (PHP):
Affected version(s) >=dev-dependabot/npm_and_yarn/jsdom-20.0.3 <=dev-dependabot/npm_and_yarn/jsdom-21.1.1Fix Suggestion:
Update to version no_fixfrancoisjacquet/rosariosis (PHP):
Affected version(s) >=v9.0 <=v12.1.2Fix Suggestion:
Update to version no_fixfreepik-labs/dom-purify (PHP):
Affected version(s) =dev-dependabot/npm_and_yarn/dompurify-2.3.8 <dev-dependabot/npm_and_yarn/dompurify-2.3.9Fix Suggestion:
Update to version dev-dependabot/npm_and_yarn/dompurify-2.3.9hipdevteam/wpforms (PHP):
Affected version(s) >=1.8.9.1 <1.9.1.1Fix Suggestion:
Update to version 1.9.1.1freepik-labs/dom-purify (PHP):
Affected version(s) >=dev-dependabot/npm_and_yarn/dompurify-2.4.1 <dev-dependabot/npm_and_yarn/lodash-4.17.21Fix Suggestion:
Update to version dev-dependabot/npm_and_yarn/lodash-4.17.21jxlwqq/simditor (PHP):
Affected version(s) =dev-master <1.0.0Fix Suggestion:
Update to version 1.0.0freepik-labs/dom-purify (PHP):
Affected version(s) >=dev-dependabot/npm_and_yarn/jsdom-19.0.0 <dev-dependabot/npm_and_yarn/jsdom-20.0.1Fix Suggestion:
Update to version dev-dependabot/npm_and_yarn/jsdom-20.0.1devsfort/fortblog (PHP):
Affected version(s) >=dev-dev <=1.0.1Fix Suggestion:
Update to version no_fixheycommunity/heycommunity-backend (PHP):
Affected version(s) =dev-feature/dashboard <dev-fix/get-status-codeFix Suggestion:
Update to version dev-fix/get-status-codecalven/simditor (PHP):
Affected version(s) >=dev-master <=v0.0.2Fix Suggestion:
Update to version no_fixanna-stupina38/cinema-project (PHP):
Affected version(s) >=dev-master <=1.3Fix Suggestion:
Update to version no_fixzaoub/zaoub (PHP):
Affected version(s) >=dev-dependabot/npm_and_yarn/serialize-javascript-5.0.1 <=dev-dependabot/npm_and_yarn/yargs-parser-20.2.4Fix Suggestion:
Update to version no_fixheycommunity/heycommunity-backend (PHP):
Affected version(s) =dev-main <dev-migrationFix Suggestion:
Update to version dev-migrationRelated Resources (3)
Do you need more information?
Contact UsCVSS v4
Base Score:
5.1
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
ACTIVE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.1
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE