Skip to main content

Jodit

2 CVEs product

Monthly

CVE-2026-58263 HIGH PATCH This Week

Mutation XSS in Jodit Editor (xdan/jodit) before 4.12.28 lets attacker-influenced HTML slip a live, no-interaction event handler past the built-in clean-html sanitizer. A MathML/<style> carrier hides a dangerous element from the sanitizer's element walk, so the sanitized editor value still contains a working handler such as <img onload=...> or onfocus; any consumer that renders editor.value via innerHTML executes attacker JavaScript without user interaction. No public exploit identified at time of analysis, and the flaw is fixed in 4.12.28.

XSS Jodit
NVD GitHub
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-54756 MEDIUM PATCH This Month

Prototype Pollution in Jodit Editor (versions prior to 4.12.18) allows network-reachable attackers to mutate Object.prototype by supplying crafted configuration payloads to Jodit.configure(), exploiting unfiltered merging in the internal ConfigMerge and ConfigProto helpers. Specifically, keys such as __proto__ or constructor nested inside legitimate option namespaces like controls can propagate to the global JavaScript prototype chain, corrupting runtime behavior for all JavaScript executing in the same environment. No public exploit is identified at time of analysis and the vulnerability is not listed in CISA KEV; however, exploitation is contingent on the host application forwarding user-controlled input into Jodit.configure(), a pattern common in configurable WYSIWYG deployments.

Information Disclosure Prototype Pollution Jodit
NVD GitHub
CVSS 4.0
6.3
EPSS
0.3%
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Mutation XSS in Jodit Editor (xdan/jodit) before 4.12.28 lets attacker-influenced HTML slip a live, no-interaction event handler past the built-in clean-html sanitizer. A MathML/<style> carrier hides a dangerous element from the sanitizer's element walk, so the sanitized editor value still contains a working handler such as <img onload=...> or onfocus; any consumer that renders editor.value via innerHTML executes attacker JavaScript without user interaction. No public exploit identified at time of analysis, and the flaw is fixed in 4.12.28.

XSS Jodit
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Prototype Pollution in Jodit Editor (versions prior to 4.12.18) allows network-reachable attackers to mutate Object.prototype by supplying crafted configuration payloads to Jodit.configure(), exploiting unfiltered merging in the internal ConfigMerge and ConfigProto helpers. Specifically, keys such as __proto__ or constructor nested inside legitimate option namespaces like controls can propagate to the global JavaScript prototype chain, corrupting runtime behavior for all JavaScript executing in the same environment. No public exploit is identified at time of analysis and the vulnerability is not listed in CISA KEV; however, exploitation is contingent on the host application forwarding user-controlled input into Jodit.configure(), a pattern common in configurable WYSIWYG deployments.

Information Disclosure Prototype Pollution Jodit
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy