CVE-2026-41238

medium Red Hat
CVSS v3 Base Score
6.8
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS Score
0.0%
Exploitation probability in 30 days
Top 88% most likely to be exploited
Attack Characteristics
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Confidentiality
High
Integrity
High
Availability
None
Published: April 23, 2026 (77 days ago)
Last Modified: April 23, 2026
Vendor: Red Hat
Source: REDHAT

Description

A flaw was found in DOMPurify, a software library used to clean potentially malicious code from web content, preventing Cross-Site Scripting (XSS) attacks. A remote attacker could exploit a vulnerability related to 'prototype pollution' to bypass DOMPurify's security checks. This allows the attacker to inject harmful code, such as event handlers, into web pages. If successfully exploited, this could lead to the execution of arbitrary code in a user's web browser.

CWE

CWE-915

Affected Products

Cryostat 4Migration Toolkit for VirtualizationMulticluster Engine for KubernetesNode HealthCheck OperatorOpenShift LightspeedOpenShift Service Mesh 2OpenShift Service Mesh 3Red Hat 3scale API Management Platform 2Red Hat Advanced Cluster Security 4Red Hat Ansible Automation Platform 2

References