Sign In

CVE-2025-15599

ADVISORY - github

Summary

DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. Attackers can include closing rawtext tags like in attribute values to break out of rawtext contexts and execute JavaScript when sanitized output is placed inside rawtext elements. The 3.x branch was fixed in 3.2.7; the 2.x branch was never patched.

EPSS Score: 0.00029 (0.079)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADVISORY - github

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADVISORY - redhat

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Impacted images

Advisories

NIST

CREATED

UPDATED

ADVISORY IDCVE-2025-15599
EXPLOITABILITY SCORE

2.8

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-79

CVSS SCORE

5.1medium

GitHub

CREATED

UPDATED

ADVISORY IDGHSA-v8jm-5vwx-cfxm
EXPLOITABILITY SCORE

2.8

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-79

CVSS SCORE

5.1medium

Debian

CREATED

UPDATED

ADVISORY IDCVE-2025-15599
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

Ubuntu

CREATED

UPDATED

ADVISORY IDCVE-2025-15599
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Amedium

Red Hat

CREATED

UPDATED

ADVISORY IDCVE-2025-15599
EXPLOITABILITY SCORE

2.8

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-79

CVSS SCORE

6.1medium