Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attacker-supplied HTML reaches the editor remotely with no auth and the auto-firing handler needs no interaction (AV:N/AC:L/PR:N/UI:N); injected script crosses into the app DOM (S:C) with limited C/I and no availability impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Jodit Editor is a WYSIWYG editor with written in pure TypeScript file and image editing capabilities. In versions prior to 4.12.28, the built-in clean-html sanitizer can be bypassed by a MathML/<style> carrier that hides a dangerous element from the sanitizer's element walk, so a no-interaction event handler survives into the editor value, potentially causing Mutation XSS. When an application supplies attacker-influenced HTML to the editor's value-set or insertion paths, the sanitized output still contains a live <img ... onload=...> (or another non-onerror handler such as onfocus). A consumer that renders that output (element.innerHTML = editor.value) executes the handler with no user interaction. This issue has been fixed in version 4.12.28.
AnalysisAI
Mutation XSS in Jodit Editor (xdan/jodit) before 4.12.28 lets attacker-influenced HTML slip a live, no-interaction event handler past the built-in clean-html sanitizer. A MathML/<style> carrier hides a dangerous element from the sanitizer's element walk, so the sanitized editor value still contains a working handler such as <img onload=...> or onfocus; any consumer that renders editor.value via innerHTML executes attacker JavaScript without user interaction. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) an application using Jodit Editor at a version below 4.12.28, (2) an attacker-controllable path that supplies HTML into Jodit's value-set or insertion API (editor.value = ... … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N, base 7.2 High) portrays a network-reachable, low-complexity, unauthenticated bug with a scope change (the injected script crosses into the rendering application's origin/DOM) and limited confidentiality and integrity impact - consistent with client-side XSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker submits crafted HTML - a MathML/<style> carrier wrapping an <img onload=...> payload - through a form, comment, or API field that an application feeds into Jodit's value-set path. Jodit's clean-html sanitizer fails to strip the hidden handler, and when the application later renders editor.value with element.innerHTML, the browser's DOM mutation re-forms the live element and the onload handler executes the attacker's JavaScript in the victim's session with no clicks required. … |
| Remediation | Vendor-released patch: upgrade Jodit to version 4.12.28 or later, which fixes the sanitizer bypass; update the npm dependency (e.g. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Jodit Editor instances and document versions in production (check package.json, npm/yarn lock files, container images, and CDN configurations). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41140