DOMPurify Security Patch: Critical XSS Bypass in Versions 3.1.3-3.3.1 Fixed in v3.3.2

A critical cross-site scripting (XSS) vulnerability in the widely-used DOMPurify HTML sanitization library has been patched, forcing a mandatory update for thousands of dependent applications. The flaw, tracked as CVE-2026-0540, allowed attackers to bypass the library's core security filters by exploiting a specific oversight in its `SAFE_FOR_XML` regular expression. This bypass could enable malicious scripts to execute in contexts where user input was thought to be safely sanitized, posing a direct threat to web application security.

The vulnerability resided in DOMPurify versions 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8. The security gap was caused by five missing rawtext elements—`noscript`, `xmp`, `noembed`, `noframes`, and `iframe`—in a key sanitization regex. This omission allowed attackers to craft payloads, such as `</noscript><img src=x onerror=alert()>`, that would slip past the sanitizer. The issue has been resolved in the newly released versions 2.5.9 and 3.3.2, with the latter being the focus of immediate dependency updates in projects using automated tools like Renovate.

The patch is not a routine update but a critical security fix. Any application relying on the affected versions of DOMPurify to clean user-generated HTML—common in comment systems, rich text editors, and content management platforms—remains exposed until upgraded. The disclosure triggers a widespread update cascade across the software supply chain, as developers and security teams scramble to apply the fix and audit their codebases for potential exploitation vectors introduced during the vulnerability window.