CVE-2025-26791: 
JavaScript vulnerability analysis and mitigation

DOMPurify before version 3.2.4 contains a cross-site scripting vulnerability due to an incorrect template literal regular expression. The vulnerability was discovered and disclosed on February 14, 2025, affecting the DOMPurify library, a popular HTML sanitizer (NVD, MITRE).

The vulnerability stems from an incorrect template literal regular expression that can lead to mutation cross-site scripting (mXSS) when specific configurations are used. The issue specifically occurs when the SAFEFORTEMPLATES option is enabled along with custom element handling. The vulnerability involves a combination of mXSS and comments in attribute values, allowing attackers to bypass DOMPurify's sanitization mechanisms. The CVSS v3.1 base score is 4.5 (Medium) with a vector of CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N (DOMPurify Bypass).

When successfully exploited, this vulnerability could allow attackers to execute cross-site scripting attacks by bypassing DOMPurify's sanitization mechanisms. The impact is particularly relevant when using non-default configurations with the SAFEFORTEMPLATES option enabled (DOMPurify Release).

The vulnerability has been fixed in DOMPurify version 3.2.4. The fix involves changing the template literal regex to prevent the config-dependent bypass. Users are advised to upgrade to version 3.2.4 or later to address this security issue (DOMPurify Commit).