## CVE-2026-0540: DOMPurify Sanitization Bypass Exposes closenow.ai to XSS Risk
A critical sanitization bypass in the widely-used DOMPurify library has been identified, exposing applications like closenow.ai to cross-site scripting (XSS) attacks. The vulnerability, tracked as CVE-2026-0540, stems from a flawed regular expression that fails to properly sanitize five specific rawtext HTML elements: `noscript`, `xmp`, `noembed`, `noframes`, and `iframe`. This oversight allows attackers to inject malicious payloads into attribute values, which can then execute arbitrary JavaScript when the sanitized output is rendered within one of these unprotected contexts. The flaw is present in DOMPurify versions 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8.

Evidence from a security scan of the `closenow.ai` project's `close-now-angular` frontend confirms the presence of the vulnerable library, `dompurify@3.2.6`, within its dependency chain. The scanner, Trivy, flagged the issue as a MEDIUM severity finding, linking it to CWE-79, the standard weakness for improper neutralization of input during web page generation. The vulnerability's mechanism is precise: an attacker can craft a payload such as `</noscript><img src=x onerror=alert(1)>` within an attribute. When DOMPurify processes this input, its `SAFE_FOR_XML` regex fails to recognize the closing tag context, allowing the malicious script to pass through sanitization and execute in the user's browser.

The patched versions, 3.3.2 and 2.5.9, which include the fix from commit 2726c74, are now available. For any organization using the affected versions, the risk is direct and requires immediate remediation. Unpatched instances leave web applications vulnerable to data theft, session hijacking, and unauthorized actions performed on behalf of users. This finding underscores the persistent threat hidden within software supply chains and the critical need for continuous, deep dependency scanning to catch such vulnerabilities before they are exploited in production environments.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE-2026-0540, XSS, Supply Chain Security, closenow.ai, Web Security
- **Credibility**: unverified
- **Published**: 2026-04-08 00:27:01
- **ID**: 54012
- **URL**: https://whisperx.ai/en/intel/54012