CVE-2025-26791

Upstream information

CVE-2025-26791 at MITRE

Description

DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting (mXSS).

---

SUSE information

Overall state of this security issue: Pending

This issue is currently rated as having moderate severity.

CVSS v3 Scores

	CNA (MITRE)	SUSE
Base Score	4.5	4.2
Vector	CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
Attack Vector	Local	Network
Attack Complexity	High	High
Privileges Required	None	None
User Interaction	None	Required
Scope	Changed	Unchanged
Confidentiality Impact	Low	Low
Integrity Impact	Low	Low
Availability Impact	None	None
CVSSv3 Version	3.1	3.1

CVSS v4 Scores

	SUSE
Base Score	2.3
Vector	CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Attack Vector	Network
Attack Complexity	High
Attack Requirements	Present
Privileges Required	None
User Interaction	Passive
Vulnerable System Confidentiality Impact	Low
Vulnerable System Integrity Impact	Low
Vulnerable System Availability Impact	None
Subsequent System Confidentiality Impact	None
Subsequent System Integrity Impact	None
Subsequent System Availability Impact	None
CVSSv4 Version	4.0

SUSE Bugzilla entry: 1237712 [NEW]

No SUSE Security Announcements cross referenced.

---

SUSE Timeline for this CVE

CVE page created: Fri Feb 14 12:00:54 2025
CVE page last modified: Wed Feb 26 12:21:00 2025