GHSA-H8R8-WCCR-V5F2: GHSA-H8R8-WCCR-V5F2: Mutation-XSS via Re-Contextualization in DOMPurify

GHSA-H8R8-WCCR-V5F2: Mutation-XSS via Re-Contextualization in DOMPurify Vulnerability ID: GHSA-H8R8-WCCR-V5F2 CVSS Score: 6.5 Published: 2026-03-27 DOMPurify versions prior to 3.3.2 are susceptible to a Mutation Cross-Site Scripting (mXSS) vulnerability. The flaw occurs due to discrepancies in browser parsing contexts when handling specific raw-text or RCDATA elements, allowing attackers to bypass sanitization. TL;DR DOMPurify < 3.3.2 fails to properly neutralize specific raw-text elements like <noscript>. Attackers can inject payloads that bypass initial sanitization but mutate into executable JavaScript when re-inserted into the DOM. ⚠️ Exploit Status: POC Technical Details Vulnerability Type: Mutation Cross-Site Scripting (mXSS) CWE ID: CWE-79 CVSS v3.1 Score: 6.5 Medium Attack Vector: Network User Interaction: None Exploit Status: Proof of Concept Available Affected Component: Raw Text/RCDATA Parser Constraints Affected Systems DOMPurify (NPM Package) Client-side web appli