Skip to main content

Jodit Editor CVE-2026-58263

| EUVDEUVD-2026-41140 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-01 GitHub_M
7.2
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
7.2 HIGH

Attacker-supplied HTML reaches the editor remotely with no auth and the auto-firing handler needs no interaction (AV:N/AC:L/PR:N/UI:N); injected script crosses into the app DOM (S:C) with limited C/I and no availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
Jul 01, 2026 - 22:02 EUVD
Analysis Generated
Jul 01, 2026 - 21:32 vuln.today

DescriptionCVE.org

Jodit Editor is a WYSIWYG editor with written in pure TypeScript file and image editing capabilities. In versions prior to 4.12.28, the built-in clean-html sanitizer can be bypassed by a MathML/<style> carrier that hides a dangerous element from the sanitizer's element walk, so a no-interaction event handler survives into the editor value, potentially causing Mutation XSS. When an application supplies attacker-influenced HTML to the editor's value-set or insertion paths, the sanitized output still contains a live <img ... onload=...> (or another non-onerror handler such as onfocus). A consumer that renders that output (element.innerHTML = editor.value) executes the handler with no user interaction. This issue has been fixed in version 4.12.28.

AnalysisAI

Mutation XSS in Jodit Editor (xdan/jodit) before 4.12.28 lets attacker-influenced HTML slip a live, no-interaction event handler past the built-in clean-html sanitizer. A MathML/<style> carrier hides a dangerous element from the sanitizer's element walk, so the sanitized editor value still contains a working handler such as <img onload=...> or onfocus; any consumer that renders editor.value via innerHTML executes attacker JavaScript without user interaction. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft MathML/<style> carrier hiding <img onload>
Delivery
Submit HTML to app's Jodit value-set path
Exploit
Sanitizer element walk misses hidden handler
Execution
App renders editor.value via innerHTML
Persist
Browser mutation reforms live element
Impact
onload handler executes attacker script in victim session

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) an application using Jodit Editor at a version below 4.12.28, (2) an attacker-controllable path that supplies HTML into Jodit's value-set or insertion API (editor.value = ... … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N, base 7.2 High) portrays a network-reachable, low-complexity, unauthenticated bug with a scope change (the injected script crosses into the rendering application's origin/DOM) and limited confidentiality and integrity impact - consistent with client-side XSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits crafted HTML - a MathML/<style> carrier wrapping an <img onload=...> payload - through a form, comment, or API field that an application feeds into Jodit's value-set path. Jodit's clean-html sanitizer fails to strip the hidden handler, and when the application later renders editor.value with element.innerHTML, the browser's DOM mutation re-forms the live element and the onload handler executes the attacker's JavaScript in the victim's session with no clicks required. …
Remediation Vendor-released patch: upgrade Jodit to version 4.12.28 or later, which fixes the sanitizer bypass; update the npm dependency (e.g. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Jodit Editor instances and document versions in production (check package.json, npm/yarn lock files, container images, and CDN configurations). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-58263 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy