DOMPurify XSS Bypass in XML Mode — No Patch Available (CVE-2026-0540)

A medium severity Cross-Site Scripting (XSS) bypass vulnerability exists in DOMPurify versions 3.1.3 through 3.3.1. The vulnerability, tracked as CVE-2026-0540 and GHSA-v2wj-7wpq-c8vv, affects the library's `SAFE_FOR_XML` sanitization mode. The flaw stems from missing protection for five rawtext HTML elements (`noscript`, `xmp`, `noembed`, `noframes`, `iframe`) in the sanitization regex. This allows an attacker to craft a payload (e.g., `</noscript><img src=x onerror=alert(1)>`) within attribute values that survives sanitization and executes JavaScript when the output is rendered inside those rawtext contexts. The CVSS 3.1 score is 6.1. A fix has been committed upstream (commit 729097f) but, as of 2026-03-05, no patched version (e.g., 3.3.2) has been released to npm. This creates a window of exposure for dependent applications. The vulnerability impacts the `lucos_arachne` project via its dependency on `@zazuko/yasgui`, which uses DOMPurify to sanitize SPARQL query results before browser rendering. Exploitation would require an attacker to control data in the SPARQL triple store that is subsequently rendered via YASGUI. While not zero-risk, the attack vector is present if the triple store ingests external data sources. The lack of an immediate npm release leaves systems vulnerable until the official patch is deployed.