GHSA-H8R8-WCCR-V5F2: GHSA-H8R8-WCCR-V5F2: Mutation-XSS via Re-Contextualization in DOMPurify

GHSA-H8R8-WCCR-V5F2: Mutation-XSS via Re-Contextualization in DOMPurify Vulnerability ID: GHSA-H8R8-WCCR-V5F2 CVSS Score: 6.5 Published: 2026-03-27 DOMPurify versions prior to 3.3.2 are susceptible to a Mutation Cross-Site Scripting (mXSS) vulnerability. The flaw occurs due to discrepancies in browser parsing contexts when handling specific raw-text or RCDATA elements, allowing attackers to bypass sanitization. TL;DR DOMPurify < 3.3.2 fails to properly neutralize specific raw-text elements like <noscript> . Attackers can inject payloads that bypass initial sanitization but mutate into executable JavaScript when re-inserted into the DOM. ⚠️ Exploit Status: POC Technical Details Vulnerability Type : Mutation Cross-Site Scripting (mXSS) CWE ID : CWE-79 CVSS v3.1 Score : 6.5 Medium Attack Vector : Network User Interaction : None Exploit Status : Proof of Concept Available Affected Component : Raw Text/RCDATA Parser Constraints Affected Systems DOMPurify (NPM Package) Client-side web applic