CVE-2026-0540

medium

Red Hat

CVSS v3 Base Score

6.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Published: March 3, 2026

Last Modified: March 3, 2026

Vendor: Red Hat

Description

DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 729097f, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex. Attackers can include payloads like </noscript><img src=x onerror=alert(1)> in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.

CWE

CWE-79

Affected Products

Cryostat 4Migration Toolkit for VirtualizationMulticluster Engine for KubernetesNetwork Observability OperatorNode HealthCheck OperatorOpenShift PipelinesRed Hat 3scale API Management Platform 2Red Hat Advanced Cluster Management for Kubernetes 2Red Hat Advanced Cluster Security 4Red Hat Ansible Automation Platform 2

References

🔗 bugzilla.redhat.com 🔗 www.cve.org 🔗 nvd.nist.gov 🔗 github.com 🔗 github.com

CVE-2026-0540

Vulnerability Report

Description

CWE

Affected Products

References