1. DOMPurify XSS Bypass in XML Mode — No Patch Available (CVE-2026-0540)
A medium severity Cross-Site Scripting (XSS) bypass vulnerability exists in DOMPurify versions 3.1.3 through 3.3.1. The vulnerability, tracked as CVE-2026-0540 and GHSA-v2wj-7wpq-c8vv, affects the library's `SAFE_FOR_XML` sanitization mode. The flaw stems from missing protection for five rawtext HTML elements (`noscrip...