PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-47423 cure53 CVE debrief

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T20:17:02.143Z and has not been modified since then. The NVD entry is currently Undergoing Analysis. This vulnerability affects DOMPurify, a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. The issue is fixed in version 3.4.5. Developers and users of DOMPurify, especially those using version 3.4.4, should be aware of this vulnerability and take steps to upgrade to version 3.4.5 or apply compensating controls.

Vendor
cure53
Product
DOMPurify
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-14
Original CVE updated
2026-07-16
Advisory published
2026-07-14
Advisory updated
2026-07-16

Who should care

Developers and users of DOMPurify, especially those using version 3.4.4, should be aware of this vulnerability and take steps to upgrade to version 3.4.5 or apply compensating controls. Operators, platform administrators, vulnerability management teams, and security teams may be impacted by this vulnerability.

Technical summary

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. In version 3.4.4, DOMPurify allowed selectedcontent by default, which could allow browsers to re-clone an XSS payload after sanitization, potentially returning unsanitized markup inside <selectedcontent>. This issue was fixed in version 3.4.5. The vulnerability has a CVSS score of 8.2 and is classified as HIGH severity.

Defensive priority

High

Recommended defensive actions

  • Upgrade to DOMPurify version 3.4.5 or later
  • Implement compensating controls, such as additional sanitization or input validation
  • Monitor for potential XSS attacks
  • Review and update existing code to ensure proper use of DOMPurify
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed

Evidence notes

The CVE record and NVD entry provide limited information about the vulnerability. Further analysis and testing may be necessary to fully understand the impact and potential mitigations. The vulnerability affects DOMPurify version 3.4.4, which allows selectedcontent by default, potentially allowing browsers to re-clone an XSS payload after sanitization. Defenders should verify the affected scope and review compensating controls.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T20:17:02.143Z and has not been modified since then.