CVE Catalog

CVE-2026-58263

HighCVSS 7.2
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.18%

8th percentile — higher than 8% of all known CVEs

Summary

In Jodit Editor prior to version 4.12.28, a vulnerability allows bypassing the built-in clean-html sanitizer using a MathML/<style> carrier that hides a dangerous element from the sanitizer's element walk. This results in a no-interaction event handler surviving into the editor value, potentially causing Mutation XSS.

Risk Assessment

The risk is that an application supplying attacker-influenced HTML to the editor may generate malicious code that, when rendered (e.g., via innerHTML), executes without any user interaction, enabling data theft, session hijacking, or other harmful actions.

Recommendation

Immediately update the Jodit Editor library to version 4.12.28 or later, which includes a fix for this vulnerability.

Original NVD description (English source)

Jodit Editor is a WYSIWYG editor with written in pure TypeScript file and image editing capabilities. In versions prior to 4.12.28, the built-in clean-html sanitizer can be bypassed by a MathML/<style> carrier that hides a dangerous element from the sanitizer's element walk, so a no-interaction event handler survives into the editor value, potentially causing Mutation XSS. When an application supplies attacker-influenced HTML to the editor's value-set or insertion paths, the sanitized output still contains a live <img ... onload=...> (or another non-onerror handler such as onfocus). A consumer that renders that output (element.innerHTML = editor.value) executes the handler with no user interaction. This issue has been fixed in version 4.12.28.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS