Summary
DOMPurify: Permanent `ALLOWED_ATTR` pollution via `setConfig()` bypassing the hook clone-guard (incomplete fix of the 3.4.7 hook-pollution patch)
References
Related vulnerabilities
All Supply chain →- MEDIUMGHSA-W9HF-3PP7-PVXV
OpenClaw: Exported session HTML could keep unsafe markdown links
- HIGHGHSA-WR9H-4R83-F4V6
Kirby: Cross-site scripting (XSS) from incomplete HTML/XML sanitization in `Dom::sanitize()`
- CRITICALGHSA-FCW5-X6J4-CCMP
Jupyter Server: Stored XSS in `NbconvertFileHandler` / `NbconvertPostHandler` via missing `sandbox` CSP
- MEDIUMGHSA-PMF8-G7C8-7V54
Grav: Stored CSS injection via Markdown image ?style=… reaches MediaObjectTrait::style() — incomplete patch of GHSA-r7fx-8g49-7hhr
- HIGHGHSA-M9CV-24RX-8MV7
Filament: Disabled RichEditor field state can be used for XSS
- HIGHGHSA-9CPJ-QC93-VW8V
Gitea: Stored XSS via glTF `extensionsRequired` in Gitea 3D File Viewer