Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Remote submission with low complexity, but persisting content requires an authenticated low-privilege account (PR:L); impact is availability-only (A:H) with no confidentiality or integrity effect.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Tiptap for PHP before version 2.1.1 contains an input validation vulnerability that allows authenticated attackers to cause a denial of service by submitting Tiptap JSON with the attrs.href field set to an array instead of a string, causing an unhandled TypeError in the Link::isAllowedUri() function when passed to preg_match(). Attackers can persist malformed JSON records that permanently crash the server-side HTML rendering pipeline for all subsequent viewers of that record until the database entry is manually repaired.
Articles & Coverage 1
AnalysisAI
Persistent denial of service in the Tiptap for PHP library before 2.1.1 lets authenticated users crash the server-side rendering pipeline by submitting Tiptap JSON whose attrs.href is an array rather than a string. The malformed value reaches preg_match() inside Link::isAllowedUri() and triggers an unhandled TypeError; because the bad record is stored, every later attempt to render that content fails for all viewers until the database row is manually fixed. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated user (PR:L) who can submit and persist Tiptap JSON content into an application that uses tiptap-php for server-side HTML rendering, and specifically the ability to set a link node's attrs.href field to an array rather than a string. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N, base 7.1 High) is internally consistent with the description: remote, low-complexity, requires some authentication/privilege (PR:L) to submit content, no user interaction, and a pure availability impact with no confidentiality or integrity loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a normal authenticated account on an application that uses Tiptap for PHP submits rich-text content (e.g., a comment, post, or document) whose link node carries attrs.href as a JSON array instead of a string. The malformed content is saved, and the next time anyone views that record the server-side HTML renderer throws an uncaught TypeError, crashing the rendering pipeline for that content for every viewer. … |
| Remediation | Vendor-released patch: upgrade ueberdosis/tiptap-php to version 2.1.1 or later (via Composer), which adds a type guard preventing the TypeError when a link href is not a string (PR https://github.com/ueberdosis/tiptap-php/pull/94, commit 74bfb7be1c8c6102b240f3879b7f984a6ab87b97, release https://github.com/ueberdosis/tiptap-php/releases/tag/2.1.1). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: audit current Tiptap for PHP version deployed in production and identify all affected instances. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
Invision Community 5.0.0 through 5.0.6 contains an unauthenticated remote code execution vulnerability in the template e
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
Cacti monitoring platform prior to version 1.2.29 allows authenticated users to achieve remote code execution through th
The SureTriggers WordPress plugin through version 1.0.78 contains an authentication bypass due to a missing empty value
The HUSKY Products Filter Professional for WooCommerce plugin through version 1.3.6.5 contains a critical Local File Inc
The User Registration & Membership WordPress plugin before version 4.1.2 fails to prevent users from setting their accou
The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 thr
PHP Object Injection in the Better Search Replace WordPress plugin (versions up to and including 1.4.4) allows remote un
Same weakness CWE-241 – Improper Handling of Unexpected Data Type
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39100
GHSA-4595-7fjw-r3jh