Improve GHSA-v2wj-7wpq-c8vv

swils23 · swils23 · commit 11bfe5a8c889 · 2026-03-05T08:41:48.000-06:00
diff --git a/advisories/github-reviewed/2026/03/GHSA-v2wj-7wpq-c8vv/GHSA-v2wj-7wpq-c8vv.json b/advisories/github-reviewed/2026/03/GHSA-v2wj-7wpq-c8vv/GHSA-v2wj-7wpq-c8vv.json
@@ -1,18 +1,14 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-v2wj-7wpq-c8vv",
-  "modified": "2026-03-04T20:51:54Z",
+  "modified": "2026-03-04T20:51:56Z",
   "published": "2026-03-03T18:31:33Z",
   "aliases": [
     "CVE-2026-0540"
   ],
   "summary": "DOMPurify contains a Cross-site Scripting vulnerability",
-  "details": "DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 729097f, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex. Attackers can include payloads like </noscript><img src=x onerror=alert(1)> in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.",
+  "details": "DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in 2.5.9 and 3.3.2, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex. Attackers can include payloads like </noscript><img src=x onerror=alert(1)> in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.",
   "severity": [
-    {
-      "type": "CVSS_V3",
-      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
-    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
@@ -32,11 +28,14 @@
               "introduced": "3.1.3"
             },
             {
-              "last_affected": "3.3.1"
+              "fixed": "3.3.2"
             }
           ]
         }
-      ]
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 3.3.1"
+      }
     },
     {
       "package": {
@@ -51,11 +50,14 @@
               "introduced": "2.5.3"
             },
             {
-              "last_affected": "2.5.8"
+              "fixed": "2.5.9"
             }
           ]
         }
-      ]
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 2.5.8"
+      }
     }
   ],
   "references": [

Original file line number	Diff line number	Diff line change
`@@ -1,18 +1,14 @@`
`1`	`1`	`{`
`2`	`2`	`"schema_version": "1.4.0",`
`3`	`3`	`"id": "GHSA-v2wj-7wpq-c8vv",`
`4`		`- "modified": "2026-03-04T20:51:54Z",`
	`4`	`+ "modified": "2026-03-04T20:51:56Z",`
`5`	`5`	`"published": "2026-03-03T18:31:33Z",`
`6`	`6`	`"aliases": [`
`7`	`7`	`"CVE-2026-0540"`
`8`	`8`	`],`
`9`	`9`	`"summary": "DOMPurify contains a Cross-site Scripting vulnerability",`
`10`		- "details": "DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 729097f, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex. Attackers can include payloads like </noscript><img src=x onerror=alert(1)> in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.",
	`10`	+ "details": "DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in 2.5.9 and 3.3.2, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex. Attackers can include payloads like </noscript><img src=x onerror=alert(1)> in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.",
`11`	`11`	`"severity": [`
`12`		`- {`
`13`		`- "type": "CVSS_V3",`
`14`		`- "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"`
`15`		`- },`
`16`	`12`	`{`
`17`	`13`	`"type": "CVSS_V4",`
`18`	`14`	`"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"`
`@@ -32,11 +28,14 @@`
`32`	`28`	`"introduced": "3.1.3"`
`33`	`29`	`},`
`34`	`30`	`{`
`35`		`- "last_affected": "3.3.1"`
	`31`	`+ "fixed": "3.3.2"`
`36`	`32`	`}`
`37`	`33`	`]`
`38`	`34`	`}`
`39`		`- ]`
	`35`	`+ ],`
	`36`	`+ "database_specific": {`
	`37`	`+ "last_known_affected_version_range": "<= 3.3.1"`
	`38`	`+ }`
`40`	`39`	`},`
`41`	`40`	`{`
`42`	`41`	`"package": {`
`@@ -51,11 +50,14 @@`
`51`	`50`	`"introduced": "2.5.3"`
`52`	`51`	`},`
`53`	`52`	`{`
`54`		`- "last_affected": "2.5.8"`
	`53`	`+ "fixed": "2.5.9"`
`55`	`54`	`}`
`56`	`55`	`]`
`57`	`56`	`}`
`58`		`- ]`
	`57`	`+ ],`
	`58`	`+ "database_specific": {`
	`59`	`+ "last_known_affected_version_range": "<= 2.5.8"`
	`60`	`+ }`
`59`	`61`	`}`
`60`	`62`	`],`
`61`	`63`	`"references": [`