CVE-2026-58263
Severity CVSS v4.0:
Pending analysis
Type:
CWE-79
Cross-Site Scripting (XSS)
Publication date:
01/07/2026
Last modified:
02/07/2026
Description
Jodit Editor is a WYSIWYG editor with written in pure TypeScript file and image editing capabilities. In versions prior to 4.12.28, the built-in clean-html sanitizer can be bypassed by a MathML/ carrier that hides a dangerous element from the sanitizer's element walk, so a no-interaction event handler survives into the editor value, potentially causing Mutation XSS. When an application supplies attacker-influenced HTML to the editor's value-set or insertion paths, the sanitized output still contains a live (or another non-onerror handler such as onfocus). A consumer that renders that output (element.innerHTML = editor.value) executes the handler with no user interaction. This issue has been fixed in version 4.12.28.
Impact
Base Score 3.x
7.20
Severity 3.x
HIGH



