Prototype Pollution in Jodit Editor by Xdan
CVE-2026-54756

6.3MEDIUM

Key Information:

Vendor

Xdan

Status
Vendor
CVE Published:
1 July 2026

What is CVE-2026-54756?

Jodit Editor, a WYSIWYG editor built on TypeScript, has a vulnerability in versions prior to 4.12.18 where the method Jodit.configure(options) allowed user-supplied options to be merged into the editor settings without proper filtering. This oversight made it possible for prototype-mutating keys to cause a Prototype Pollution issue, enabling payloads nested within standard object options, like controls, to interact with and alter Object.prototype. Applications that incorporate user-controlled configuration values into Jodit could be adversely affected. The vulnerability was addressed and resolved in version 4.12.18.

Affected Version(s)

jodit < 4.12.18

References

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.