DOMPurify Security Patch: Critical XSS Bypass in Widespread HTML Sanitizer (CVE-2026-0540)

A critical security vulnerability in DOMPurify, a widely-used HTML sanitization library, has been patched after exposing countless web applications to cross-site scripting (XSS) attacks. The flaw, tracked as CVE-2026-0540, allowed attackers to bypass the library's core security filters by exploiting a specific oversight in its `SAFE_FOR_XML` regular expression. This bypass could enable malicious actors to inject and execute arbitrary JavaScript code in contexts where user input was thought to be safely sanitized.

The vulnerability resided in versions 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8 of the library, which is maintained by Cure53. The security gap was caused by five missing rawtext elements—`noscript`, `xmp`, `noembed`, `noframes`, and `iframe`—in a key sanitization regex. Attackers could craft payloads, such as `</noscript><img src=x onerror=alert()>`, to slip past the sanitizer and execute scripts in the victim's browser. The issue has been resolved in the newly released versions 2.5.9 and 3.3.2.

This patch is a mandatory update for any project relying on DOMPurify to clean user-generated HTML, a common requirement for comment sections, rich-text editors, and content management systems. The vulnerability's presence in a foundational security tool underscores the persistent risk in the software supply chain, where a single library flaw can propagate across thousands of applications. Developers must immediately update their dependencies to the patched versions to close this direct avenue for client-side code injection.