Skip to main content

Jodit Editor EUVDEUVD-2026-41138

| CVE-2026-55886 MEDIUM
Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) (CWE-1321)
2026-06-18 https://github.com/xdan/jodit GHSA-vpmm-x3fm-qr5c
6.3
CVSS 4.0 · Vendor: https://github.com/xdan/jodit
Share

Severity by source

Vendor (https://github.com/xdan/jodit) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Network vector applies when user input reaches the function; AC:H because a specific vulnerable code path in the consuming application is required; S:C because Object.prototype pollution affects the entire runtime beyond the immediate component.

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L

Primary rating from Vendor (https://github.com/xdan/jodit).

CVSS VectorVendor: https://github.com/xdan/jodit

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
Jul 01, 2026 - 21:22 NVD
6.3 (MEDIUM)
Source Code Evidence Fetched
Jun 18, 2026 - 14:06 vuln.today
Analysis Generated
Jun 18, 2026 - 14:06 vuln.today

DescriptionCVE.org

Summary

Jodit.modules.Helpers.set(chain, value, obj) walks the dot-separated chain, creating and following each path segment, without filtering prototype-mutating keys. A chain that begins with (or contains) __proto__, constructor, or prototype lets the final assignment reach and mutate Object.prototype (prototype pollution).

Affected

  • Package: jodit (npm)
  • Versions: < 4.12.26
  • Public API: Jodit.modules.Helpers.set(chain, value, obj)

Proof of Concept

js
const { Jodit } = require('jodit');
delete Object.prototype.polluted;
Jodit.modules.Helpers.set('__proto__.polluted', 'yes', {});
console.log(({}).polluted); // "yes" (before the fix)
delete Object.prototype.polluted;

Impact

Applications that pass a user-controlled or partially user-controlled key path into Jodit.modules.Helpers.set() could be vulnerable to prototype pollution (CWE-1321): unexpected property injection, logic bypass, denial of service, or secondary security issues.

Patch

Fixed in 4.12.26 by rejecting any chain whose segments include __proto__, constructor, or prototype, reusing the same guard introduced for Jodit.configure() in 4.12.18.

Credit

Responsibly reported by Junming Wu.

AnalysisAI

Prototype pollution in the Jodit WYSIWYG editor npm package (versions < 4.12.26) allows mutation of Object.prototype via the public helper API Jodit.modules.Helpers.set(). When an application passes user-controlled or partially user-controlled key paths to this function, an attacker can inject arbitrary properties into the global Object.prototype, enabling logic bypass, denial of service, or secondary security issues throughout the entire JavaScript runtime. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Supply crafted chain string with __proto__ segment
Delivery
Trigger call to Jodit.modules.Helpers.set() with attacker-controlled chain
Exploit
Function traverses path without denylist validation
Execution
Object.prototype mutated with injected property
Persist
Application logic inherits polluted property
Impact
Logic bypass, DoS, or secondary exploit triggered

Vulnerability AssessmentAI

Exploitation Exploitation requires that the consuming application passes a user-controlled or externally-influenced string as the chain argument to Jodit.modules.Helpers.set(). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk depends heavily on whether application code passes user-controlled strings to Jodit.modules.Helpers.set(). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A web application uses Jodit as its editor component and exposes an API endpoint that accepts a JSON body containing a configuration key path, passing it directly to Jodit.modules.Helpers.set(keyPath, value, config). An unauthenticated attacker sends a POST request with the key path set to __proto__.isAdmin and value true; the function walks the chain without validation, mutating Object.prototype so that every subsequent object literal in the process inherits isAdmin: true. …
Remediation Vendor-released patch: jodit 4.12.26. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-34621 HIGH POC
8.6 Apr 11

Prototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execu

CVE-2024-56059 CRITICAL
9.8 Dec 18

Prototype pollution in the farinspace Partners WordPress plugin (versions up to and including 0.2.0) enables remote unau

CVE-2020-28271 CRITICAL POC
9.8 Nov 12

Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service

CVE-2023-38894 CRITICAL POC
9.8 Aug 16

A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code vi

CVE-2024-24292 CRITICAL POC
9.8 Mar 28

A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function

CVE-2023-26121 CRITICAL POC
10.0 Apr 11

All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper s

CVE-2021-23449 CRITICAL POC
10.0 Oct 18

This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitr

CVE-2024-39011 CRITICAL POC
9.8 Jul 30

Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Ser

CVE-2024-38988 CRITICAL POC
9.8 Mar 28

alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/inde

CVE-2025-57347 CRITICAL POC
9.8 Sep 24

A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConf

CVE-2025-57321 CRITICAL POC
9.8 Sep 24

A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 all

CVE-2024-45435 CRITICAL POC
9.8 Aug 29

Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function. Rated critical severity (CVSS 9.8), this

Share

EUVD-2026-41138 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy