Prototype Pollution in Jodit Editor by Xdan
CVE-2026-54756
6.3MEDIUM
What is CVE-2026-54756?
Jodit Editor, a WYSIWYG editor built on TypeScript, has a vulnerability in versions prior to 4.12.18 where the method Jodit.configure(options) allowed user-supplied options to be merged into the editor settings without proper filtering. This oversight made it possible for prototype-mutating keys to cause a Prototype Pollution issue, enabling payloads nested within standard object options, like controls, to interact with and alter Object.prototype. Applications that incorporate user-controlled configuration values into Jodit could be adversely affected. The vulnerability was addressed and resolved in version 4.12.18.
Affected Version(s)
jodit < 4.12.18
