CVE-2026-41239 Overview
CVE-2026-41239 is a cross-site scripting (XSS) vulnerability [CWE-79] in DOMPurify, a widely deployed DOM-only sanitizer for HTML, MathML, and SVG. The flaw affects versions from 1.0.10 up to but not including 3.4.0. The SAFE_FOR_TEMPLATES option, which is intended to strip {{...}} template expressions from untrusted markup, behaves correctly in string mode but fails when callers use the RETURN_DOM or RETURN_DOM_FRAGMENT return modes. Applications that pass sanitized DOM nodes into client-side template engines such as Vue 2 can therefore execute attacker-controlled expressions. Version 3.4.0 patches the issue.
Critical Impact
Attackers can inject template expressions that bypass DOMPurify sanitization and execute arbitrary JavaScript in user browsers when sanitized DOM nodes are rendered through template-evaluating frameworks.
Affected Products
- DOMPurify versions 1.0.10 through 3.3.x
- Applications consuming DOMPurify with RETURN_DOM: true or RETURN_DOM_FRAGMENT: true and SAFE_FOR_TEMPLATES: true
- Downstream frameworks evaluating mustache-style expressions, including Vue 2
Discovery Timeline
- 2026-04-23 - CVE CVE-2026-41239 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-41239
Vulnerability Analysis
DOMPurify sanitizes untrusted HTML, MathML, and SVG before insertion into the DOM. The SAFE_FOR_TEMPLATES flag exists to neutralize template syntax such as {{ expression }} so downstream template engines do not interpret attacker input. The sanitizer applies expression stripping to the serialized string output path. The DOM output path, returned when callers request RETURN_DOM or RETURN_DOM_FRAGMENT, does not apply the same removal logic to text nodes. An attacker who submits markup containing {{...}} sequences sees those sequences preserved verbatim inside the returned DOM. When the host application attaches that DOM into a template-aware framework, the framework evaluates the expressions as code, producing XSS.
Root Cause
The root cause is inconsistent enforcement of the SAFE_FOR_TEMPLATES policy across DOMPurify return modes. String serialization paths perform the template expression scrub, while the DOM and DOM fragment paths return nodes whose text content retains the unmodified {{...}} payloads. The defect is documented in the GitHub Security Advisory GHSA-crv5-9vww-q3g8.
Attack Vector
Exploitation requires the attacker to deliver crafted HTML to an application that sanitizes input with DOMPurify using SAFE_FOR_TEMPLATES in combination with RETURN_DOM or RETURN_DOM_FRAGMENT, then mounts the result into a template-evaluating framework. The attack is network-reachable through any input surface that accepts HTML, such as comments, messages, or profile fields. User interaction is required because the victim must load the page that renders the sanitized DOM. Successful exploitation runs arbitrary JavaScript under the application origin and can be used to steal session tokens, perform actions on behalf of the user, or pivot to additional attacks.
Detection Methods for CVE-2026-41239
Indicators of Compromise
- Inbound HTML payloads containing {{ and }} delimiters surrounding JavaScript expressions, function calls, or constructor references.
- Client-side errors or unexpected execution originating from Vue 2 template compilation on user-generated content surfaces.
- Outbound requests from rendered pages to attacker-controlled domains immediately after content load.
Detection Strategies
- Inventory all uses of DOMPurify in front-end and server-side rendering code and identify call sites that combine SAFE_FOR_TEMPLATES with RETURN_DOM or RETURN_DOM_FRAGMENT.
- Add server-side input inspection that flags submissions containing mustache-style template expressions in HTML fields.
- Use software composition analysis to identify DOMPurify versions below 3.4.0 across repositories and built artifacts.
Monitoring Recommendations
- Monitor browser-side error telemetry and Content Security Policy (CSP) violation reports for unexpected script execution on pages rendering user content.
- Log and alert on Web Application Firewall (WAF) matches against {{.*}} patterns submitted to HTML-accepting endpoints.
- Track dependency manifests for regressions that downgrade DOMPurify below 3.4.0.
How to Mitigate CVE-2026-41239
Immediate Actions Required
- Upgrade DOMPurify to version 3.4.0 or later across all applications and bundles.
- Audit sanitizer configurations for use of SAFE_FOR_TEMPLATES together with RETURN_DOM or RETURN_DOM_FRAGMENT and remediate any matches.
- Review Vue 2 and other template-evaluating views that render sanitized HTML from untrusted sources.
Patch Information
The maintainers released the fix in DOMPurify 3.4.0. Release notes and the patched build are available in the GitHub DOMPurify Release 3.4.0 and the GitHub Security Advisory GHSA-crv5-9vww-q3g8.
Workarounds
- Switch affected call sites to string mode and parse the sanitized string back into DOM nodes only after sanitization completes.
- Disable client-side template evaluation on content paths that render user-supplied HTML, or migrate from Vue 2 templating of untrusted markup.
- Apply a strict Content Security Policy that blocks inline script execution to reduce impact if exploitation occurs.
# Configuration example
npm install dompurify@^3.4.0
npm ls dompurify
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
