dompurify

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else usin

Latest 3.3.3

NPM

85%

Total Score

Maintainer Stability

100

Dependencies

100

Maturity

100

Supply Chain

Attestations

Vulnerabilities

Title	Versions	Severity
CVE-2026-0540 dompurify is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in versions 3.1.3 - 3.3.1 and 2.5.3 - 2.5.8.	2.5.3 - 2.5.83.1.3 - 3.3.1	Medium
CVE-2025-15599 dompurify is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in versions 3.1.3 - 3.2.7 and 2.5.3 - 2.5.8.	2.5.3 - 2.5.83.1.3 - 3.2.7	Medium
AIKIDO-2025-10062 dompurify is vulnerable to Cross-site Scripting (XSS) in versions 1.0.0 - 3.2.3.	1.0.0 - 3.2.3	Medium
AIKIDO-2024-10525 Pre-CVE Found by Aikido Intel before public disclosure or CVE publication. dompurify is vulnerable to Improper Input Validation in versions 1.0.0 - 2.5.7 and 3.0.0 - 3.2.2.	1.0.0 - 2.5.73.0.0 - 3.2.2	Medium
CVE-2024-48910 dompurify is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in versions 0.0.0 - 2.4.2.	0.0.0 - 2.4.2	Critical