CVE-2026-0540 (Medium) detected in dompurify-3.2.7.tgz

[mend-bolt-for-github]

CVE-2026-0540 - Medium Severity Vulnerability

Vulnerable Library - dompurify-3.2.7.tgz

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else usin

Library home page: https://registry.npmjs.org/dompurify/-/dompurify-3.2.7.tgz

Path to dependency file: /ui/package.json

Path to vulnerable library: /ui/node_modules/.pnpm/dompurify@3.2.7/node_modules/dompurify/package.json

Dependency Hierarchy:

• @postgres.ai/ce-4.0.3.tgz (Root Library)
  • react-4.7.0.tgz
    • monaco-editor-0.55.1.tgz
      • ❌ dompurify-3.2.7.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 729097f, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex. Attackers can include payloads like in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.

Publish Date: 2026-03-03

URL: CVE-2026-0540

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

---

Step up your Open Source Security Game with Mend here