CVE-2026-41239: DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode
(updated )
| Field | Value |
|---|---|
| Severity | Medium |
| Affected | DOMPurify main at 883ac15, introduced in v1.0.10 (7fc196db) |
SAFE_FOR_TEMPLATES strips {{...}} expressions from untrusted HTML. This works in string mode but not with RETURN_DOM or RETURN_DOM_FRAGMENT, allowing XSS via template-evaluating frameworks like Vue 2.
References
Code Behaviors & Features
Detect and mitigate CVE-2026-41239 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →