CVE-2026-58263
HighCVSS 7.2Exploitation Probability (EPSS)
Low risk8th percentile — higher than 8% of all known CVEs
Summary
In Jodit Editor prior to version 4.12.28, a vulnerability allows bypassing the built-in clean-html sanitizer using a MathML/<style> carrier that hides a dangerous element from the sanitizer's element walk. This results in a no-interaction event handler surviving into the editor value, potentially causing Mutation XSS.
Risk Assessment
The risk is that an application supplying attacker-influenced HTML to the editor may generate malicious code that, when rendered (e.g., via innerHTML), executes without any user interaction, enabling data theft, session hijacking, or other harmful actions.
Recommendation
Immediately update the Jodit Editor library to version 4.12.28 or later, which includes a fix for this vulnerability.
Original NVD description (English source)
Jodit Editor is a WYSIWYG editor with written in pure TypeScript file and image editing capabilities. In versions prior to 4.12.28, the built-in clean-html sanitizer can be bypassed by a MathML/<style> carrier that hides a dangerous element from the sanitizer's element walk, so a no-interaction event handler survives into the editor value, potentially causing Mutation XSS. When an application supplies attacker-influenced HTML to the editor's value-set or insertion paths, the sanitized output still contains a live <img ... onload=...> (or another non-onerror handler such as onfocus). A consumer that renders that output (element.innerHTML = editor.value) executes the handler with no user interaction. This issue has been fixed in version 4.12.28.

