Skip to main content

Tiptap Php

1 CVEs product

Monthly

CVE-2026-47110 HIGH PATCH This Week

Persistent denial of service in the Tiptap for PHP library before 2.1.1 lets authenticated users crash the server-side rendering pipeline by submitting Tiptap JSON whose attrs.href is an array rather than a string. The malformed value reaches preg_match() inside Link::isAllowedUri() and triggers an unhandled TypeError; because the bad record is stored, every later attempt to render that content fails for all viewers until the database row is manually fixed. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; EPSS data was not provided.

PHP Denial Of Service Tiptap Php
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Persistent denial of service in the Tiptap for PHP library before 2.1.1 lets authenticated users crash the server-side rendering pipeline by submitting Tiptap JSON whose attrs.href is an array rather than a string. The malformed value reaches preg_match() inside Link::isAllowedUri() and triggers an unhandled TypeError; because the bad record is stored, every later attempt to render that content fails for all viewers until the database row is manually fixed. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; EPSS data was not provided.

PHP Denial Of Service Tiptap Php
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy