Finding · openhands

Security: Fix CVE-2026-41238 via dompurify upgrade to 3.4.0

What Changed

Updated dompurify from 3.3.2 to 3.4.0 to address CVE-2026-41238 security vulnerability affecting HTML sanitization in frontend.

Operator Implication

Operators must deploy this security patch to mitigate CVE-2026-41238 exposure in HTML/DOM sanitization. Frontend users could be affected by insufficient sanitization if vulnerability remains unpatched.

Receipt

Commit b025cd2 (2026-06-02T14:29:50Z): 'Fix CVE-2026-41238: Update dompurify to 3.4.0 (#14607)' - DOM sanitization library vulnerability remediation in frontend

Finding metadata

Confidence: high
Actionability: test
Accessibility impact: none

Run: 2026-06-03-weekly-digest-2026-05-28_2026-06-03-frontier-v0

Finding ID: 2026-06-02-openhands-cve-2026-41238-dompurify

Source links

Primary links, including exact changelog lines when available.

OpenHands
commitCommit b025cd2 (2026-06-02T14:29:50Z): 'Fix CVE-2026-41238: Update dompurify to 3.4.0 (#14607)' - DOM sanitization library vulnerability remediation in frontend package.jsongithub.com/OpenHands/OpenHands/commit/b025cd2