PT-2026-54911 · Unknown · Jodit Editor

Koyokr

·

Published

2026-07-01

·

Updated

2026-07-02

·

CVE-2026-58263

CVSS v3.1

7.2

High

VectorAV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions Jodit Editor versions prior to 4.12.28
Description The built-in clean-html sanitizer can be bypassed using a MathML/ carrier. This technique hides dangerous elements from the sanitizer's element walk, allowing no-interaction event handlers to persist in the editor value. This can lead to Mutation XSS (Cross-Site Scripting), where an attacker-influenced HTML input results in the execution of malicious handlers, such as onload or onfocus within an <img> tag, when the output is rendered via element.innerHTML = editor.value without requiring user interaction.
Recommendations Update to version 4.12.28.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-58263

Affected Products

Jodit Editor