Skip to main content

Jodit Editor EUVDEUVD-2026-41139

| CVE-2026-54756 MEDIUM
Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) (CWE-1321)
2026-07-01 GitHub_M
6.3
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

AC:H reflects AT:P precondition (user-controlled config required); S:C because prototype pollution crosses object boundaries into the broader JavaScript runtime environment.

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 01, 2026 - 22:02 EUVD
Analysis Generated
Jul 01, 2026 - 21:35 vuln.today

DescriptionCVE.org

Jodit Editor is a WYSIWYG editor with written in pure TypeScript file and image editing capabilities. In versions prior to 4.12.18, Jodit.configure(options) - and the internal ConfigMerge / ConfigProto helpers - merged user-supplied options into the editor configuration without filtering prototype-mutating keys, potentially causing a Prototype Pollution vulnerability. A payload nested under an existing plain-object option such as controls could reach and mutate Object.prototype. Applications that pass user-controlled or partially user-controlled configuration into Jodit.configure() may be vulnerable. This issue was fixed in version 4.12.18.

AnalysisAI

Prototype Pollution in Jodit Editor (versions prior to 4.12.18) allows network-reachable attackers to mutate Object.prototype by supplying crafted configuration payloads to Jodit.configure(), exploiting unfiltered merging in the internal ConfigMerge and ConfigProto helpers. Specifically, keys such as __proto__ or constructor nested inside legitimate option namespaces like controls can propagate to the global JavaScript prototype chain, corrupting runtime behavior for all JavaScript executing in the same environment. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify app passing user config to Jodit.configure()
Delivery
Craft payload with __proto__ key nested in controls option
Exploit
Submit payload via profile, API, or config endpoint
Execution
ConfigMerge traverses keys without filtering
Persist
Object.prototype mutated in JavaScript runtime
Impact
Exploit polluted prototype for authorization bypass or logic corruption

Vulnerability AssessmentAI

Exploitation Exploitation requires that the host application passes user-controlled or partially user-controlled JavaScript objects into the Jodit.configure() API; this is the explicit precondition stated in the advisory. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 6.3 (Medium) with vector AV:N/AC:L/AT:P/PR:N/UI:N reflects a network-reachable flaw requiring no privileges or user interaction, but AT:P (Attack Requirements: Present) signals a mandatory precondition - the host application must pass user-controlled configuration into Jodit.configure(). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a web application that fetches user-defined Jodit editor settings from a profile or API endpoint and passes the resulting JSON object directly to Jodit.configure(). The attacker submits a crafted settings payload containing a controls key with a deeply nested __proto__ object - for example, {"controls": {"__proto__": {"isAdmin": true}}} - which, after being processed by ConfigMerge, mutates Object.prototype so that all subsequently created plain objects inherit isAdmin: true, potentially bypassing authorization checks or corrupting application logic throughout the session.
Remediation Upgrade Jodit Editor to version 4.12.18 or later, which filters prototype-mutating keys in ConfigMerge and ConfigProto; the fix is confirmed by the GitHub Security Advisory GHSA-5957-5c94-3v7w at https://github.com/xdan/jodit/security/advisories/GHSA-5957-5c94-3v7w. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-34621 HIGH POC
8.6 Apr 11

Prototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execu

CVE-2024-56059 CRITICAL
9.8 Dec 18

Prototype pollution in the farinspace Partners WordPress plugin (versions up to and including 0.2.0) enables remote unau

CVE-2020-28271 CRITICAL POC
9.8 Nov 12

Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service

CVE-2023-38894 CRITICAL POC
9.8 Aug 16

A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code vi

CVE-2024-24292 CRITICAL POC
9.8 Mar 28

A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function

CVE-2023-26121 CRITICAL POC
10.0 Apr 11

All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper s

CVE-2021-23449 CRITICAL POC
10.0 Oct 18

This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitr

CVE-2024-39011 CRITICAL POC
9.8 Jul 30

Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Ser

CVE-2024-38988 CRITICAL POC
9.8 Mar 28

alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/inde

CVE-2025-57347 CRITICAL POC
9.8 Sep 24

A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConf

CVE-2025-57321 CRITICAL POC
9.8 Sep 24

A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 all

CVE-2024-45435 CRITICAL POC
9.8 Aug 29

Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function. Rated critical severity (CVSS 9.8), this

Share

EUVD-2026-41139 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy