CVE-2026-41240
mediumCVSS v3 Base Score
8.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS Score
0.0%
Exploitation probability in 30 days
Top 98% most likely to be exploited
Attack Characteristics
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Confidentiality
High
Integrity
High
Availability
None
Published: April 23, 2026 (77 days ago)
Last Modified: April 23, 2026
Vendor: Red Hat
Fix Available: ✓ Yes
Source: REDHAT
Vulnerability Report
Generated by CyberWatcher
Description
A flaw was found in DOMPurify, a DOM-only cross-site scripting sanitizer. A remote attacker could exploit an inconsistency in how forbidden tags and attributes are handled when function-based tag additions are used. This allows malicious HTML, MathML, or SVG elements to bypass sanitization and execute arbitrary code in the user's browser, leading to Cross-Site Scripting (XSS).
CWE
CWE-79Affected Products
Cryostat 4Migration Toolkit for VirtualizationMulticluster Engine for KubernetesNode HealthCheck OperatorOpenShift LightspeedOpenShift Service Mesh 3Red Hat 3scale API Management Platform 2Red Hat Advanced Cluster Security 4Red Hat Ansible Automation Platform 2Red Hat build of Apache Camel - HawtIO 4