WYSIWYG Editor Vulnerability in Jodit by xdan
CVE-2026-58263

7.2HIGH

Key Information:

Vendor

Xdan

Status
Vendor
CVE Published:
1 July 2026

What is CVE-2026-58263?

The Jodit Editor, a WYSIWYG editing tool, is susceptible to a cross-site scripting (XSS) vulnerability due to improper sanitization of HTML content. Versions prior to 4.12.28 allow an attacker to embed malicious scripts using a MathML or carrier that effectively bypasses the built-in clean-html sanitizer. This flaw may permit an attacker to inject live event handlers within the editor's output. Consequently, when the sanitized content is rendered in a user's browser, it can execute malicious scripts without user interaction, compromising user security. This vulnerability has been rectified in version 4.12.28.

Affected Version(s)

jodit < 4.12.28

References

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.