Skip to content

[CVE-2026-0540] DOMPurify contains a Cross-site Scripting vulnerability #5248

New issue
New issue
Open
Open
[CVE-2026-0540] DOMPurify contains a Cross-site Scripting vulnerability#5248
@AviVahl

Description

@AviVahl
AviVahl
opened on Mar 6, 2026

Reproducible in vscode.dev or in VS Code Desktop?

  • Not reproducible in vscode.dev or VS Code Desktop

Reproducible in the monaco editor playground?

Monaco Editor Playground Link

Irrelevant

Monaco Editor Playground Code

Irrelevant

Reproduction Steps

mkdir monaco-editor-alert
cd monaco-editor-alert
npm init -y
npm i monaco-editor
npm audit

Actual (Problematic) Behavior

dompurify  3.1.3 - 3.3.1
Severity: moderate
DOMPurify contains a Cross-site Scripting vulnerability - https://github.com/advisories/GHSA-v2wj-7wpq-c8vv
fix available via `npm audit fix --force`
Will install monaco-editor@0.53.0, which is a breaking change
node_modules/dompurify
  monaco-editor  >=0.54.0-dev-20250909
  Depends on vulnerable versions of dompurify
  node_modules/monaco-editor

2 moderate severity vulnerabilities

Expected Behavior

0 vulnerabilities

Additional Context

Need to upgrade to dompurify@3.3.2

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions