DOMPurify, XSS via Shadow DOM in Template, CVE-2026-49978 (Moderate) -DC-Jun2026-433

By UNDERCODE / June 15, 2026

Intro

CVE-2026-49978 is a cross-site scripting (XSS) vulnerability in DOMPurify, a widely-used DOM‑only HTML sanitizer. The flaw resides in how DOMPurify processes HTML that contains a `