HomeCVE Intelligence › CVE-2026-47423
CVSS 8.2 HIGH Vulnerability

CVE-2026-47423: DOMPurify XSS via selectedcontent re-clone

Summary DOMPurify 3.4.4 allows selectedcontent by default, allowing a chain in which browsers "re-clone" an XSS payload after sanitization, effectively bypassing DOMPurify. Details The chain is as follows: 1. The browse…

8.2CVSS Score
HIGHSeverity
NOCISA KEV
VulnerabilityImpact Type

📋 Vulnerability Details

CVE IDCVE-2026-47423
Vendornpm
Affected Productdompurify
Vulnerability TypeVulnerability
CVSS Score8.2 (HIGH)
Actively Exploited❌ No known exploitation
Patch StatusSee Vendor Advisory →
Reported ByCYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

#

Summary

DOMPurify 3.4.4 allows selectedcontent by default, allowing a chain in which browsers "re-clone" an XSS payload after sanitization, effectively bypassing DOMPurify.

Details

The chain is as follows: 1. The browser parses the input and creates a clone from the selected 2. DOMPurify walks and sanitizes that generated clone. 3. DOMPurify reaches the original and removes selected=javascript:1 4. The browser refreshes the clone from the original option's content. 5. The refreshed clone is in a subtree DOMPurify already walked, which DOMPurify doesn't go back to sanitize 6. The returned string contains unsanitized markup inside .

PoC

```js const dirty = ' ' + ' ' + ' x' + ' '; const clean = DOMPurify.sanitize(dirty); console.log(clean); document.body.i

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-47423 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries
🛡️ Get Detection Pack → 🔌 Access via API →

🔗 Related Intelligence