๐Ÿ” CVE Alert

CVE-2026-54756

UNKNOWN 0.0

Jodit Editor: Prototype pollution via Jodit.configure() / ConfigMerge

CVSS Score
0.0
EPSS Score
0.3%
EPSS Percentile
19th

Jodit Editor is a WYSIWYG editor with written in pure TypeScript file and image editing capabilities. In versions prior to 4.12.18, Jodit.configure(options) โ€” and the internal ConfigMerge / ConfigProto helpers โ€” merged user-supplied options into the editor configuration without filtering prototype-mutating keys, potentially causing a Prototype Pollution vulnerability. A payload nested under an existing plain-object option such as controls could reach and mutate Object.prototype. Applications that pass user-controlled or partially user-controlled configuration into Jodit.configure() may be vulnerable. This issue was fixed in version 4.12.18.

CWE CWE-1321
Vendor xdan
Product jodit
Published Jul 1, 2026
Last Updated Jul 2, 2026
Stay Ahead of the Next One

Get instant alerts for xdan jodit

Be the first to know when new unknown vulnerabilities affecting xdan jodit are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

xdan / jodit
< 4.12.18

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/xdan/jodit/security/advisories/GHSA-5957-5c94-3v7w