GHSA-rp9w-3fw7-7cwq

Suggest an improvement
Source
https://github.com/advisories/GHSA-rp9w-3fw7-7cwq
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-rp9w-3fw7-7cwq/GHSA-rp9w-3fw7-7cwq.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-rp9w-3fw7-7cwq
Aliases
  • CVE-2026-49978
Downstream
Related
Published
2026-06-15T20:01:45Z
Modified
2026-06-18T20:29:24.263120290Z
Severity
  • 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
DOMPurify IN_PLACE Sanitization Bypass via Attached Shadow Root Inside <template>.content
Details

If the HTML you give it contains a <template> element, and inside that template there's an element with a shadow DOM attached to it, DOMPurify quietly skips over the shadow contents. Whatever the attacker put in there - an image with an onerror handler, a link with a javascript: URL, even a full script - survives untouched. The moment the application uses that template the way templates are meant to be used (cloning it and inserting the result into the page), the malicious payload comes along and runs as if it had never been sanitized. From there an attacker gets everything XSS normally gets them: session cookies, stored tokens, the ability to act as the user, and the ability to leave persistent payloads behind for the next person who visits.

advisory.pdf

poc.html

Database specific
{
    "cwe_ids": [
        "CWE-79"
    ],
    "github_reviewed": true,
    "nvd_published_at": null,
    "github_reviewed_at": "2026-06-15T20:01:45Z",
    "severity": "MODERATE"
}
References

Affected packages

npm / dompurify

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.4.7

Database specific

last_known_affected_version_range
"<= 3.4.6"
source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-rp9w-3fw7-7cwq/GHSA-rp9w-3fw7-7cwq.json"