<Vulnerability name="CVE-2026-49458">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Moderate</ThreatSeverity>
    <PublicDate>2026-07-14T19:58:50</PublicDate>
    <Bugzilla id="2500636" url="https://bugzilla.redhat.com/show_bug.cgi?id=2500636" xml:lang="en:us">
dompurify: DOMPurify: Cross-site scripting due to improper sanitization of DOM nodes
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>6.1</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-79</CWE>
    <Details xml:lang="en:us" source="Mitre">
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Prior to 3.4.6, DOMPurify.sanitize(node, { IN_PLACE: true }) accepted same-origin foreign-realm DOM nodes while follow-on checks used parent-realm constructors, causing instanceof checks for forms, named node maps, document fragments, and elements to fail and skip clobber, template-content, and shadow-DOM sanitization branches so executable markup could survive. This issue is fixed in version 3.4.6.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in DOMPurify, a tool designed to prevent cross-site scripting (XSS) attacks by sanitizing HTML, MathML, and SVG content. When processing certain types of web page elements, DOMPurify failed to properly identify and sanitize malicious code. This oversight could allow an attacker to inject and execute harmful scripts within a user's web browser, potentially leading to information disclosure or unauthorized actions.
    </Details>
    <Statement xml:lang="en:us">
This Moderate cross-site scripting (XSS) flaw in DOMPurify arises when the `DOMPurify.sanitize()` function is used with the `IN_PLACE: true` option on DOM nodes originating from a different realm (e.g., an iframe). This misconfiguration bypasses critical sanitization checks, allowing executable markup to persist. Red Hat products utilizing DOMPurify in this specific manner could be vulnerable to information disclosure or unauthorized actions if processing untrusted content.
    </Statement>
    <PackageState cpe="cpe:/a:redhat:migration_toolkit_virtualization:2">
        <ProductName>Migration Toolkit for Virtualization</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>migration-toolkit-virtualization/mtv-console-plugin-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:migration_toolkit_virtualization:2">
        <ProductName>Migration Toolkit for Virtualization</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>mtv-candidate/mtv-console-plugin-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:multicluster_engine">
        <ProductName>Multicluster Engine for Kubernetes</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>multicluster-engine/console-mce-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:workload_availability_nhc:0">
        <ProductName>Node HealthCheck Operator</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>workload-availability/node-healthcheck-must-gather-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:workload_availability_nhc:0">
        <ProductName>Node HealthCheck Operator</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>workload-availability/node-healthcheck-operator-bundle</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:workload_availability_nhc:0">
        <ProductName>Node HealthCheck Operator</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>workload-availability/node-healthcheck-rhel9-operator</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_lightspeed">
        <ProductName>OpenShift Lightspeed</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>openshift-lightspeed/lightspeed-agentic-console-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_lightspeed">
        <ProductName>OpenShift Lightspeed</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>openshift-lightspeed/lightspeed-console-plugin-419-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_lightspeed">
        <ProductName>OpenShift Lightspeed</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>openshift-lightspeed/lightspeed-console-plugin-pf5-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_lightspeed">
        <ProductName>OpenShift Lightspeed</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>openshift-lightspeed/lightspeed-console-plugin-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:service_mesh:3">
        <ProductName>OpenShift Service Mesh 3</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>openshift-service-mesh/kiali-ossmc-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:service_mesh:3">
        <ProductName>OpenShift Service Mesh 3</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>openshift-service-mesh/kiali-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:acm:2">
        <ProductName>Red Hat Advanced Cluster Management for Kubernetes 2</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>rhacm2/console-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:advanced_cluster_security:4">
        <ProductName>Red Hat Advanced Cluster Security 4</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>advanced-cluster-security/rhacs-main-rhel8</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:advanced_cluster_security:4">
        <ProductName>Red Hat Advanced Cluster Security 4</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>advanced-cluster-security/rhacs-main-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:amq_broker:7">
        <ProductName>Red Hat AMQ Broker 7</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>dompurify</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:ansible_automation_platform:2">
        <ProductName>Red Hat Ansible Automation Platform 2</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>ansible-automation-platform-26/gateway-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:ansible_automation_platform:2">
        <ProductName>Red Hat Ansible Automation Platform 2</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>ansible-automation-platform-27/gateway-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:camel_spring_boot:4">
        <ProductName>Red Hat build of Apache Camel for Spring Boot 4</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>dompurify</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:podman_desktop:1">
        <ProductName>Red Hat Build of Podman Desktop</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>rh-podman-desktop.git</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:ceph_storage:9">
        <ProductName>Red Hat Ceph Storage 9</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>rhceph/alloy-rhel10</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:jboss_data_grid:8">
        <ProductName>Red Hat Data Grid 8</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>dompurify</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:rhdh:1">
        <ProductName>Red Hat Developer Hub</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>rhdh/rhdh-hub-rhel9</PackageName>
    </PackageState>
    <PackageState impact="moderate" cpe="cpe:/a:redhat:hummingbird:1">
        <ProductName>Red Hat Hardened Images</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>ruff</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>rhoai/odh-dashboard-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>rhoai/odh-mod-arch-automl-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>rhoai/odh-mod-arch-autorag-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>rhoai/odh-mod-arch-eval-hub-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>rhoai/odh-mod-arch-gen-ai-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>rhoai/odh-mod-arch-maas-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>rhoai/odh-mod-arch-mlflow-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>rhoai/odh-mod-arch-model-registry-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>rhoai/odh-workbench-codeserver-datascience-cpu-py312-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift:4">
        <ProductName>Red Hat OpenShift Container Platform 4</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>openshift4/ose-agent-installer-ui-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift:4">
        <ProductName>Red Hat OpenShift Container Platform 4</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>openshift4/ose-console</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift:4">
        <ProductName>Red Hat OpenShift Container Platform 4</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>openshift4/ose-console-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift:4">
        <ProductName>Red Hat OpenShift Container Platform 4</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>openshift4/ose-monitoring-plugin-rhel8</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift:4">
        <ProductName>Red Hat OpenShift Container Platform 4</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>openshift4/ose-monitoring-plugin-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_data_foundation:4">
        <ProductName>Red Hat Openshift Data Foundation 4</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>odf4/ocs-client-console-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_data_foundation:4">
        <ProductName>Red Hat Openshift Data Foundation 4</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>odf4/odf-console-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_data_foundation:4">
        <ProductName>Red Hat Openshift Data Foundation 4</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>odf4/odf-multicluster-console-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_devspaces:3">
        <ProductName>Red Hat OpenShift Dev Spaces</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>devspaces/code-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_devspaces:3">
        <ProductName>Red Hat OpenShift Dev Spaces</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>devspaces/openvsx-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_gitops:1">
        <ProductName>Red Hat OpenShift GitOps</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>openshift-gitops-1/argocd-rhel8</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_gitops:1">
        <ProductName>Red Hat OpenShift GitOps</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>openshift-gitops-1/argocd-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:container_native_virtualization:4">
        <ProductName>Red Hat OpenShift Virtualization 4</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>container-native-virtualization/kubevirt-console-plugin</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:container_native_virtualization:4">
        <ProductName>Red Hat OpenShift Virtualization 4</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>container-native-virtualization/kubevirt-console-plugin-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:ansible_portal:2">
        <ProductName>Self-service automation portal 2</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>ansible-automation-platform/automation-portal</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-49458
https://nvd.nist.gov/vuln/detail/CVE-2026-49458
https://github.com/cure53/DOMPurify/commit/bb7739e5bccec7e1ab3dae3f3e42d02db3acaaae
https://github.com/cure53/DOMPurify/releases/tag/3.4.6
https://github.com/cure53/DOMPurify/security/advisories/GHSA-hpcv-96wg-7vj8
    </References>
</Vulnerability>