cure53 CVE Vulnerabilities & Metrics

Focus on cure53 vulnerabilities and metrics.

Last updated: 25 Nov 2025, 23:25 UTC

About cure53 Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with cure53. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total cure53 CVEs: 7
Earliest CVE date: 24 Sep 2019, 05:15 UTC
Latest CVE date: 14 Feb 2025, 09:15 UTC

Latest CVE reference: CVE-2025-26791

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 1

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): -66.67%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): -66.67%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical cure53 CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 1.23

Max CVSS: 4.3

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	5
4.0-6.9	2
7.0-8.9	0
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS cure53 CVEs

These are the five CVEs with the highest CVSS scores for cure53, sorted by severity first and recency.

CVE-2020-26870 cure53 Published on 07 Oct 2020, 16:15 UTC (CVSS: 4.3)
Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements.
CVE-2019-16728 cure53 Published on 24 Sep 2019, 05:15 UTC (CVSS: 4.3)
DOMPurify before 2.0.1 allows XSS because of innerHTML mutation XSS (mXSS) for an SVG element or a MATH element, as demonstrated by Chrome and Safari.
CVE-2025-26791 cure53 Published on 14 Feb 2025, 09:15 UTC (CVSS: 0)
DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting (mXSS).
CVE-2024-48910 cure53 Published on 31 Oct 2024, 15:15 UTC (CVSS: 0)
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify was vulnerable to prototype pollution. This vulnerability is fixed in 2.4.2.
CVE-2024-47875 cure53 Published on 11 Oct 2024, 15:15 UTC (CVSS: 0)
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to nesting-based mXSS. This vulnerability is fixed in 2.5.0 and 3.1.3.

All CVEs for cure53

CVE-2025-26791 cure53 vulnerability CVSS: 0 14 Feb 2025, 09:15 UTC

DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting (mXSS).

CVE-2024-48910 cure53 vulnerability CVSS: 0 31 Oct 2024, 15:15 UTC

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify was vulnerable to prototype pollution. This vulnerability is fixed in 2.4.2.

CVE-2024-47875 cure53 vulnerability CVSS: 0 11 Oct 2024, 15:15 UTC

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to nesting-based mXSS. This vulnerability is fixed in 2.5.0 and 3.1.3.

CVE-2024-45801 cure53 vulnerability CVSS: 0 16 Sep 2024, 19:16 UTC

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check. This renders dompurify unable to avoid cross site scripting (XSS) attacks. This issue has been addressed in versions 2.5.4 and 3.1.3 of DOMPurify. All users are advised to upgrade. There are no known workarounds for this vulnerability.

CVE-2019-25155 cure53 vulnerability CVSS: 0 07 Nov 2023, 03:09 UTC

DOMPurify before 1.0.11 allows reverse tabnabbing in demos/hooks-target-blank-demo.html because links lack a 'rel="noopener noreferrer"' attribute.

CVE-2020-26870 cure53 vulnerability CVSS: 4.3 07 Oct 2020, 16:15 UTC

Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements.

CVE-2019-16728 cure53 vulnerability CVSS: 4.3 24 Sep 2019, 05:15 UTC

DOMPurify before 2.0.1 allows XSS because of innerHTML mutation XSS (mXSS) for an SVG element or a MATH element, as demonstrated by Chrome and Safari.