CVE Catalog

CVE-2026-54756

MediumCVSS 6.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.27%

19th percentile — higher than 19% of all known CVEs

Summary

In Jodit Editor prior to version 4.12.18, the Jodit.configure() function and internal ConfigMerge/ConfigProto helpers merged user-supplied options without filtering prototype-mutating keys, leading to a Prototype Pollution vulnerability.

Risk Assessment

An attacker can inject malicious data into the editor configuration, potentially leading to application behavior modification, privilege escalation, or arbitrary code execution in the victim's browser.

Recommendation

Immediately update Jodit Editor to version 4.12.18 or later, which includes a fix that removes the prototype pollution vulnerability.

Original NVD description (English source)

Jodit Editor is a WYSIWYG editor with written in pure TypeScript file and image editing capabilities. In versions prior to 4.12.18, Jodit.configure(options) — and the internal ConfigMerge / ConfigProto helpers — merged user-supplied options into the editor configuration without filtering prototype-mutating keys, potentially causing a Prototype Pollution vulnerability. A payload nested under an existing plain-object option such as controls could reach and mutate Object.prototype. Applications that pass user-controlled or partially user-controlled configuration into Jodit.configure() may be vulnerable. This issue was fixed in version 4.12.18.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS