PT-2026-54847 · Unknown · Jodit Editor
Junming Wu
·
Published
2026-07-01
·
Updated
2026-07-01
·
CVE-2026-54756
CVSS v4.0
6.3
Medium
| Vector | AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Jodit Editor versions prior to 4.12.18
Description
Jodit Editor is a WYSIWYG editor written in TypeScript. The
Jodit.configure(options) function, along with internal ConfigMerge and ConfigProto helpers, merges user-supplied options into the editor configuration without filtering prototype-mutating keys. This can lead to Prototype Pollution, where a payload nested under a plain-object option like controls can mutate Object.prototype. Applications that pass user-controlled or partially user-controlled configuration into Jodit.configure() are susceptible to this issue.Recommendations
Update to version 4.12.18.
Exploit
Fix
Prototype Pollution
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jodit Editor