EXECUTIVE SUMMARY:
CVE-2026-47423 with a CVSS score of 8.2 is a DOM-based cross-site scripting (XSS) bypass vulnerability in the npm package DOMPurify that originates from the default handling of the <selectedcontent> element. DOMPurify sanitizes a supplied HTML string by walking the DOM tree and stripping unsafe attributes, but when an attacker injects a malicious <option selected=javascript:1> containing an <img onerror> payload, the browser creates a hidden <selectedcontent> clone, sanitizes it, then re-clones the original option content after the walk, leaving the injected script inside the <selectedcontent> subtree unsanitized. Exploitation requires only the ability to supply attacker-controlled HTML that is passed to DOMPurify.sanitize and later inserted into the page via innerHTML or a similar DOM insertion point; no authentication or server-side privileges are needed. Successful exploitation yields arbitrary JavaScript execution in the victim’s browser, enabling session hijacking, data exfiltration, or further malicious actions against the web application. The business impact is severe for any service that relies on DOMPurify for client-side sanitization of user-generated content, as compromised browsers (e.g., Chromium and WebKit) will execute the payload. Exploitation prerequisites are the vulnerable library and a browser that supports the selectedcontent element, both of which are common in modern web stacks.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-47423 with a CVSS score of 8.2 is a DOM-based cross-site scripting (XSS) bypass vulnerability in the npm package DOMPurify that originates from the default handling of the <selectedcontent> element. DOMPurify sanitizes a supplied HTML string by walking the DOM tree and stripping unsafe attributes, but when an attacker injects a malicious <option selected=javascript:1> containing an <img onerror> payload, the browser creates a hidden <selectedcontent> clone, sanitizes it, then re-clones the original option content after the walk, leaving the injected script inside the <selectedcontent> subtree unsanitized. Exploitation requires only the ability to supply attacker-controlled HTML that is passed to DOMPurify.sanitize and later inserted into the page via innerHTML or a similar DOM insertion point; no authentication or server-side privileges are needed. Successful exploitation yields arbitrary JavaScript execution in the victim’s browser, enabling session hijacking, data exfiltration, or further malicious actions against the web application. The business impact is severe for any service that relies on DOMPurify for client-side sanitization of user-generated content, as compromised browsers (e.g., Chromium and WebKit) will execute the payload. Exploitation prerequisites are the vulnerable library and a browser that supports the selectedcontent element, both of which are common in modern web stacks.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-87xg-pxx2-7hvx