CVE-2025-15599

medium

Red Hat

CVSS v3 Base Score

6.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Published: March 3, 2026

Last Modified: March 3, 2026

Vendor: Red Hat

Description

DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. Attackers can include closing rawtext tags like </textarea> in attribute values to break out of rawtext contexts and execute JavaScript when sanitized output is placed inside rawtext elements. The 3.x branch was fixed in 3.2.7; the 2.x branch was never patched.

CWE

CWE-79

Affected Products

Cryostat 4Migration Toolkit for VirtualizationMulticluster Engine for KubernetesNetwork Observability OperatorNode HealthCheck OperatorOpenShift PipelinesRed Hat 3scale API Management Platform 2Red Hat Advanced Cluster Management for Kubernetes 2Red Hat Advanced Cluster Security 4Red Hat Ansible Automation Platform 2

References

🔗 bugzilla.redhat.com 🔗 www.cve.org 🔗 nvd.nist.gov 🔗 github.com 🔗 github.com

CVE-2025-15599

Vulnerability Report

Description

CWE

Affected Products

References