PT-2026-54847 · Unknown · Jodit Editor

Junming Wu

·

Published

2026-07-01

·

Updated

2026-07-01

·

CVE-2026-54756

CVSS v4.0

6.3

Medium

VectorAV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions Jodit Editor versions prior to 4.12.18
Description Jodit Editor is a WYSIWYG editor written in TypeScript. The Jodit.configure(options) function, along with internal ConfigMerge and ConfigProto helpers, merges user-supplied options into the editor configuration without filtering prototype-mutating keys. This can lead to Prototype Pollution, where a payload nested under a plain-object option like controls can mutate Object.prototype. Applications that pass user-controlled or partially user-controlled configuration into Jodit.configure() are susceptible to this issue.
Recommendations Update to version 4.12.18.

Exploit

Fix

Prototype Pollution

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-54756
GHSA-5957-5C94-3V7W

Affected Products

Jodit Editor