<Vulnerability name="CVE-2026-49459">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Moderate</ThreatSeverity>
    <PublicDate>2026-07-14T20:01:44</PublicDate>
    <Bugzilla id="2500676" url="https://bugzilla.redhat.com/show_bug.cgi?id=2500676" xml:lang="en:us">
dompurify: DOMPurify: Cross-site scripting bypass allows arbitrary script execution
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>4.7</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-79</CWE>
    <Details xml:lang="en:us" source="Mitre">
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Prior to 3.4.6, DOMPurify.sanitize(root, { IN_PLACE: true }) could preserve event-handler attributes on an attacker-controlled &lt;form&gt; root when a descendant name clobbered properties checked by _isClobbered, because _forceRemove no-opped on the parent-less root and _sanitizeAttributes returned early. This issue is fixed in version 3.4.6.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in DOMPurify, a library designed to sanitize HTML, MathML, and SVG to prevent cross-site scripting (XSS) attacks. A remote attacker could exploit a vulnerability in the `DOMPurify.sanitize` function when used with the `IN_PLACE: true` option. This flaw allows an attacker to bypass the sanitizer and inject malicious event-handler attributes into an attacker-controlled form element. Successful exploitation could lead to the execution of arbitrary scripts in the user's browser, potentially compromising user data or session integrity.
    </Details>
    <Statement xml:lang="en:us">
This Moderate-impact cross-site scripting (XSS) bypass in DOMPurify arises when the `DOMPurify.sanitize` function is invoked with the `IN_PLACE: true` option on an attacker-controlled HTML form element. Successful exploitation requires a specific application configuration where untrusted HTML is processed in this manner, allowing malicious event handlers to persist and execute arbitrary scripts. Red Hat products are generally not affected by default configurations, as this specific usage pattern is uncommon.
    </Statement>
    <PackageState cpe="cpe:/a:redhat:migration_toolkit_virtualization:2">
        <ProductName>Migration Toolkit for Virtualization</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>migration-toolkit-virtualization/mtv-console-plugin-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:migration_toolkit_virtualization:2">
        <ProductName>Migration Toolkit for Virtualization</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>mtv-candidate/mtv-console-plugin-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:multicluster_engine">
        <ProductName>Multicluster Engine for Kubernetes</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>multicluster-engine/console-mce-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:workload_availability_nhc:0">
        <ProductName>Node HealthCheck Operator</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>workload-availability/node-healthcheck-must-gather-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:workload_availability_nhc:0">
        <ProductName>Node HealthCheck Operator</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>workload-availability/node-healthcheck-operator-bundle</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:workload_availability_nhc:0">
        <ProductName>Node HealthCheck Operator</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>workload-availability/node-healthcheck-rhel9-operator</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_lightspeed">
        <ProductName>OpenShift Lightspeed</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>openshift-lightspeed/lightspeed-agentic-console-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_lightspeed">
        <ProductName>OpenShift Lightspeed</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>openshift-lightspeed/lightspeed-console-plugin-419-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_lightspeed">
        <ProductName>OpenShift Lightspeed</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>openshift-lightspeed/lightspeed-console-plugin-pf5-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_lightspeed">
        <ProductName>OpenShift Lightspeed</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>openshift-lightspeed/lightspeed-console-plugin-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:service_mesh:3">
        <ProductName>OpenShift Service Mesh 3</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>openshift-service-mesh/kiali-ossmc-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:service_mesh:3">
        <ProductName>OpenShift Service Mesh 3</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>openshift-service-mesh/kiali-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:acm:2">
        <ProductName>Red Hat Advanced Cluster Management for Kubernetes 2</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>rhacm2/console-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:advanced_cluster_security:4">
        <ProductName>Red Hat Advanced Cluster Security 4</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>advanced-cluster-security/rhacs-main-rhel8</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:advanced_cluster_security:4">
        <ProductName>Red Hat Advanced Cluster Security 4</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>advanced-cluster-security/rhacs-main-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:amq_broker:7">
        <ProductName>Red Hat AMQ Broker 7</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>dompurify</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:ansible_automation_platform:2">
        <ProductName>Red Hat Ansible Automation Platform 2</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>ansible-automation-platform-26/gateway-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:ansible_automation_platform:2">
        <ProductName>Red Hat Ansible Automation Platform 2</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>ansible-automation-platform-27/gateway-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:camel_spring_boot:4">
        <ProductName>Red Hat build of Apache Camel for Spring Boot 4</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>dompurify</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:podman_desktop:1">
        <ProductName>Red Hat Build of Podman Desktop</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>rh-podman-desktop.git</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:ceph_storage:9">
        <ProductName>Red Hat Ceph Storage 9</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>rhceph/alloy-rhel10</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:jboss_data_grid:8">
        <ProductName>Red Hat Data Grid 8</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>dompurify</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:rhdh:1">
        <ProductName>Red Hat Developer Hub</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>rhdh/rhdh-hub-rhel9</PackageName>
    </PackageState>
    <PackageState impact="moderate" cpe="cpe:/a:redhat:hummingbird:1">
        <ProductName>Red Hat Hardened Images</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>ruff</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>rhoai/odh-dashboard-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>rhoai/odh-mod-arch-automl-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>rhoai/odh-mod-arch-autorag-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>rhoai/odh-mod-arch-eval-hub-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>rhoai/odh-mod-arch-gen-ai-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>rhoai/odh-mod-arch-maas-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>rhoai/odh-mod-arch-mlflow-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>rhoai/odh-mod-arch-model-registry-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_ai">
        <ProductName>Red Hat OpenShift AI (RHOAI)</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>rhoai/odh-workbench-codeserver-datascience-cpu-py312-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift:4">
        <ProductName>Red Hat OpenShift Container Platform 4</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>openshift4/ose-agent-installer-ui-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift:4">
        <ProductName>Red Hat OpenShift Container Platform 4</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>openshift4/ose-console</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift:4">
        <ProductName>Red Hat OpenShift Container Platform 4</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>openshift4/ose-console-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift:4">
        <ProductName>Red Hat OpenShift Container Platform 4</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>openshift4/ose-monitoring-plugin-rhel8</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift:4">
        <ProductName>Red Hat OpenShift Container Platform 4</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>openshift4/ose-monitoring-plugin-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_data_foundation:4">
        <ProductName>Red Hat Openshift Data Foundation 4</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>odf4/ocs-client-console-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_data_foundation:4">
        <ProductName>Red Hat Openshift Data Foundation 4</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>odf4/odf-console-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_data_foundation:4">
        <ProductName>Red Hat Openshift Data Foundation 4</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>odf4/odf-multicluster-console-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_devspaces:3">
        <ProductName>Red Hat OpenShift Dev Spaces</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>devspaces/code-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_devspaces:3">
        <ProductName>Red Hat OpenShift Dev Spaces</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>devspaces/openvsx-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_gitops:1">
        <ProductName>Red Hat OpenShift GitOps</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>openshift-gitops-1/argocd-rhel8</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_gitops:1">
        <ProductName>Red Hat OpenShift GitOps</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>openshift-gitops-1/argocd-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:container_native_virtualization:4">
        <ProductName>Red Hat OpenShift Virtualization 4</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>container-native-virtualization/kubevirt-console-plugin</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:container_native_virtualization:4">
        <ProductName>Red Hat OpenShift Virtualization 4</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>container-native-virtualization/kubevirt-console-plugin-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:ansible_portal:2">
        <ProductName>Self-service automation portal 2</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>ansible-automation-platform/automation-portal</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-49459
https://nvd.nist.gov/vuln/detail/CVE-2026-49459
https://github.com/cure53/DOMPurify/commit/bb7739e5bccec7e1ab3dae3f3e42d02db3acaaae
https://github.com/cure53/DOMPurify/releases/tag/3.4.6
https://github.com/cure53/DOMPurify/security/advisories/GHSA-r47g-fvhr-h676
    </References>
</Vulnerability>