Prototype Pollution Vulnerability in Jodit Editor by Xdan
CVE-2026-55886

6.3MEDIUM

Key Information:

Vendor

Xdan

Status
Vendor
CVE Published:
1 July 2026

What is CVE-2026-55886?

Jodit Editor, a popular WYSIWYG editor implemented in pure TypeScript, is vulnerable to prototype pollution, which can lead to severe security implications. Specifically, versions prior to 4.12.26 allow the Jodit.modules.Helpers.set function to manipulate the Object.prototype due to inadequate filtering of prototype-modifying keys in the dot-separated chain. This vulnerability can be exploited by passing user-controlled keys, potentially leading to unexpected property assignments, logic bypasses, denial of service, and additional security risks. As a result, users are strongly urged to update to version 4.12.26 or later to mitigate these risks.

Affected Version(s)

jodit < 4.12.26

References

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.