CVE-2025-26791

DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting (mXSS).

• How can I get the fixes?
• What do statuses mean?

References

• MITRE
• NVD
• Launchpad
• Debian

Other references

• https://www.cve.org/CVERecord?id=CVE-2025-26791
• https://ensy.zip/posts/dompurify-323-bypass/
• https://github.com/cure53/DOMPurify/commit/d18ffcb554e0001748865da03ac75dd7829f0f02
• https://github.com/cure53/DOMPurify/releases/tag/3.2.4
• https://nsysean.github.io/posts/dompurify-323-bypass/