Back to overview

CVE-2026-58263

HIGH
7.2
CVSS 3.1
Description
Jodit Editor is a WYSIWYG editor with written in pure TypeScript file and image editing capabilities. In versions prior to 4.12.28, the built-in clean-html sanitizer can be bypassed by a MathML/<style> carrier that hides a dangerous element from the sanitizer's element walk, so a no-interaction event handler survives into the editor value, potentially causing Mutation XSS. When an application supplies attacker-influenced HTML to the editor's value-set or insertion paths, the sanitized output still contains a live <img ... onload=...> (or another non-onerror handler such as onfocus). A consumer that renders that output (element.innerHTML = editor.value) executes the handler with no user interaction. This issue has been fixed in version 4.12.28.

Metadata

CVE ID
CVE-2026-58263
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-29 21:54 UTC
Published
2026-07-01 20:35 UTC
Last updated
2026-07-01 20:35 UTC
Primary CWE
CWE-79
CWE-79: Improper Neutralization of Input During Web Page Gen…
Vendor / Product
xdan / jodit
Sources
cve.org  ·  NVD

Severity & Metrics

7.2 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Affected products (1)
VendorProductPlatformVersions
xdan jodit < 4.12.28
Weakness (CWE)
CWESourceDescription
CWE-79 cna CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-83 cna CWE-83: Improper Neutralization of Script in Attributes in a Web Page
CVSS scores (1)
ScoreSeverityVersionSourceVector
7.2 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
References (1)
Back to overview