Jodit
Monthly
Mutation XSS in Jodit Editor (xdan/jodit) before 4.12.28 lets attacker-influenced HTML slip a live, no-interaction event handler past the built-in clean-html sanitizer. A MathML/<style> carrier hides a dangerous element from the sanitizer's element walk, so the sanitized editor value still contains a working handler such as <img onload=...> or onfocus; any consumer that renders editor.value via innerHTML executes attacker JavaScript without user interaction. No public exploit identified at time of analysis, and the flaw is fixed in 4.12.28.
Prototype Pollution in Jodit Editor (versions prior to 4.12.18) allows network-reachable attackers to mutate Object.prototype by supplying crafted configuration payloads to Jodit.configure(), exploiting unfiltered merging in the internal ConfigMerge and ConfigProto helpers. Specifically, keys such as __proto__ or constructor nested inside legitimate option namespaces like controls can propagate to the global JavaScript prototype chain, corrupting runtime behavior for all JavaScript executing in the same environment. No public exploit is identified at time of analysis and the vulnerability is not listed in CISA KEV; however, exploitation is contingent on the host application forwarding user-controlled input into Jodit.configure(), a pattern common in configurable WYSIWYG deployments.
Mutation XSS in Jodit Editor (xdan/jodit) before 4.12.28 lets attacker-influenced HTML slip a live, no-interaction event handler past the built-in clean-html sanitizer. A MathML/<style> carrier hides a dangerous element from the sanitizer's element walk, so the sanitized editor value still contains a working handler such as <img onload=...> or onfocus; any consumer that renders editor.value via innerHTML executes attacker JavaScript without user interaction. No public exploit identified at time of analysis, and the flaw is fixed in 4.12.28.
Prototype Pollution in Jodit Editor (versions prior to 4.12.18) allows network-reachable attackers to mutate Object.prototype by supplying crafted configuration payloads to Jodit.configure(), exploiting unfiltered merging in the internal ConfigMerge and ConfigProto helpers. Specifically, keys such as __proto__ or constructor nested inside legitimate option namespaces like controls can propagate to the global JavaScript prototype chain, corrupting runtime behavior for all JavaScript executing in the same environment. No public exploit is identified at time of analysis and the vulnerability is not listed in CISA KEV; however, exploitation is contingent on the host application forwarding user-controlled input into Jodit.configure(), a pattern common in configurable WYSIWYG deployments.