UBUNTU-CVE-2025-26791
- Source
- https://ubuntu.com/security/CVE-2025-26791
- Import Source
- https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-26791.json
- JSON Data
- https://api.osv.dev/v1/vulns/UBUNTU-CVE-2025-26791
- Related
- Published
- 2025-02-14T09:15:00Z
- Modified
- 2025-04-23T14:59:19Z
- Summary
- [none]
- Details
-
DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting (mXSS).
- References
-
- https://ubuntu.com/security/CVE-2025-26791
- https://www.cve.org/CVERecord?id=CVE-2025-26791
- https://ensy.zip/posts/dompurify-323-bypass/
- https://github.com/cure53/DOMPurify/commit/d18ffcb554e0001748865da03ac75dd7829f0f02
- https://github.com/cure53/DOMPurify/releases/tag/3.2.4
- https://nsysean.github.io/posts/dompurify-323-bypass/
Affected packages
Ubuntu:22.04:LTS / node-dompurify
Package
- Name
- node-dompurify
- Purl
- pkg:deb/ubuntu/node-dompurify@2.3.3+dfsg-1?arch=source&distro=jammy
Ubuntu:24.10 / node-dompurify
Package
- Name
- node-dompurify
- Purl
- pkg:deb/ubuntu/node-dompurify@3.0.9+dfsg+~3.0.5-1?arch=source&distro=oracular
Ubuntu:24.04:LTS / node-dompurify
Package
- Name
- node-dompurify
- Purl
- pkg:deb/ubuntu/node-dompurify@3.0.9+dfsg+~3.0.5-1?arch=source&distro=noble