Volerion logoVolerion
Volerion logoVolerion

DOMPurify Cross-Site Scripting Vulnerability in SAFE_FOR_TEMPLATES with RETURN_DOM Mode

Vulnerability

A cross-site scripting (XSS) vulnerability exists in DOMPurify versions 1.0.10 prior to 3.4.0. The issue arises because the SAFE_FOR_TEMPLATES option, which is intended to strip '{{...}}' expressions from untrusted HTML, does not function correctly when RETURN_DOM or RETURN_DOM_FRAGMENT modes are enabled. This flaw allows XSS attacks through template-evaluating frameworks such as Vue 2.

Impact

Exploiting this vulnerability allows for cross-site scripting attacks, where an attacker can execute malicious scripts in the context of the user's browser.

Reproduction

To reproduce this vulnerability, use DOMPurify version 3.3.3 with the SAFE_FOR_TEMPLATES option set to true and the RETURN_DOM option enabled. After sanitizing the input, the resulting DOM can be mounted into a Vue 2 application, which will execute the injected script payload.

Remediation

Users can upgrade to DOMPurify version 3.4.0 or later, where this vulnerability has been patched.

Added: Apr 23, 2026, 4:26 PM
Updated: Apr 23, 2026, 4:26 PM

Vulnerability Rating

Custom Algorithm
spread
2.4
impact
1.7
exploitability
5.6
remediation
7.7
relevance
6.5
threat
6.4
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.