Description

DOMSanitizer is a DOM/SVG/MathML Sanitizer for PHP 7.3+. Prior to version 1.0.10, DOMSanitizer::sanitize() allows <style> elements in SVG content but never inspects their text content. CSS url() references and @import rules pass through unfiltered, causing the browser to issue HTTP requests to attacker-controlled hosts when the sanitized SVG is rendered. Version 1.0.10 fixes the issue.

INFO

Published Date :

2026-04-17T20:51:37.226Z

Last Modified :

2026-04-20T14:57:39.192Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-40301 vulnerability.

Vendors Products
Rhukster
  • Dom-sanitizer
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-40301.

URL Resource
https://github.com/rhukster/dom-sanitizer/commit/49a98046b708a4c92f754f5b0ef1720bb85142e2 cve-icon cve-icon
https://github.com/rhukster/dom-sanitizer/releases/tag/1.0.10 cve-icon cve-icon
https://github.com/rhukster/dom-sanitizer/security/advisories/GHSA-93vf-569f-22cq cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact