{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40301", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-10T20:22:44.036Z", "datePublished": "2026-04-17T20:51:37.226Z", "dateUpdated": "2026-04-17T20:51:37.226Z"}, "containers": {"cna": {"title": "rhukster/dom-sanitizer: SVG <style> tag allows CSS injection via unfiltered url() and @import directives", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/rhukster/dom-sanitizer/security/advisories/GHSA-93vf-569f-22cq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/rhukster/dom-sanitizer/security/advisories/GHSA-93vf-569f-22cq"}, {"name": "https://github.com/rhukster/dom-sanitizer/commit/49a98046b708a4c92f754f5b0ef1720bb85142e2", "tags": ["x_refsource_MISC"], "url": "https://github.com/rhukster/dom-sanitizer/commit/49a98046b708a4c92f754f5b0ef1720bb85142e2"}, {"name": "https://github.com/rhukster/dom-sanitizer/releases/tag/1.0.10", "tags": ["x_refsource_MISC"], "url": "https://github.com/rhukster/dom-sanitizer/releases/tag/1.0.10"}], "affected": [{"vendor": "rhukster", "product": "dom-sanitizer", "versions": [{"version": "< 1.0.10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T20:51:37.226Z"}, "descriptions": [{"lang": "en", "value": "DOMSanitizer is a DOM/SVG/MathML Sanitizer for PHP 7.3+. Prior to version 1.0.10, DOMSanitizer::sanitize() allows <style> elements in SVG content but never inspects their text content. CSS url() references and @import rules pass through unfiltered, causing the browser to issue HTTP requests to attacker-controlled hosts when the sanitized SVG is rendered. Version 1.0.10 fixes the issue."}], "source": {"advisory": "GHSA-93vf-569f-22cq", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "DOMSanitizer is a DOM/SVG/MathML Sanitizer for PHP 7.3+. Prior to version 1.0.10, DOMSanitizer::sanitize() allows <style> elements in SVG content but never inspects their text content. CSS url() references and @import rules pass through unfiltered, causing the browser to issue HTTP requests to attacker-controlled hosts when the sanitized SVG is rendered. Version 1.0.10 fixes the issue."}], "id": "CVE-2026-40301", "lastModified": "2026-04-17T21:16:34.850", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-17T21:16:34.850", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/rhukster/dom-sanitizer/commit/49a98046b708a4c92f754f5b0ef1720bb85142e2"}, {"source": "security-advisories@github.com", "url": "https://github.com/rhukster/dom-sanitizer/releases/tag/1.0.10"}, {"source": "security-advisories@github.com", "url": "https://github.com/rhukster/dom-sanitizer/security/advisories/GHSA-93vf-569f-22cq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T08:57:55.830876+00:00", "value": {"mitigation_remediation": ["Update dom\u2011sanitizer to version 1.0.10 or later to remove the <style> injection flaw.", "If an update is not immediately possible, pre\u2011process SVG input to strip or escape <style> tags before passing it to DOMSanitizer.", "Audit the application\u2019s SVG handling paths to ensure no unsanitized user input reaches the browser."], "summary": {"action": "Apply patch", "impact": "Unauthorized network requests via CSS injection"}, "threat_synthesis": {"affected_systems": "The flaw is present in the rhukster:dom\u2011sanitizer library for PHP 7.3 and above prior to release version 1.0.10. Any PHP application that uses DOMSanitizer::sanitize() and renders SVG content could be affected.", "description_and_impact": "DOMSanitizer does not inspect the contents of <style> tags embedded in SVG files, allowing attackers to inject CSS url() references and @import directives. When the sanitized SVG is rendered in a browser, those unfiltered directives trigger HTTP requests to attacker\u2011controlled hosts. The vulnerability can lead to covert exfiltration of data or unexpected network traffic, but it does not provide direct code execution or privilege escalation. The CVSS score of 4.7 indicates a moderate impact.", "risk_and_exploitability": "The moderate CVSS score combined with the lack of an official KEV listing suggests that exploitation frequency is low to moderate. An attacker would need to supply or influence SVG content that is processed by DOMSanitizer and subsequently rendered in a browser, making the vulnerability highly context\u2011dependent. Without the patch, browsers will still perform network requests based on the malformed styles, which could be detected if outbound traffic is monitored."}}}}, "created": "2026-04-18T09:00:05.902536+00:00", "updated": "2026-04-18T09:00:05.902552+00:00", "vendors": []}