CVE-2026-55886
Jodit Editor: Prototype Pollution in Jodit via Jodit.modules.Helpers.set()
Jodit Editor is a WYSIWYG editor with written in pure TypeScript file and image editing capabilities. Versions prior to 4.12.26 are vulnerable to Prototype Pollution through Jodit.modules.Helpers.set(chain, value, obj), which walks the dot-separated chain, creating and following each path segment without filtering prototype-mutating keys. A chain that begins with (or contains) __proto__, constructor, or prototype lets the final assignment reach and mutate Object.prototype. Applications that pass a user-controlled or partially user-controlled key path into Jodit.modules.Helpers.set() could be vulnerable, causing unexpected property injection, logic bypass, denial of service, or secondary security issues. This issue has been fixed in version 4.12.26.
| CWE | CWE-1321 |
| Vendor | xdan |
| Product | jodit |
| Published | Jul 1, 2026 |
| Last Updated | Jul 2, 2026 |
Get instant alerts for xdan jodit
Be the first to know when new unknown vulnerabilities affecting xdan jodit are published โ delivered to Slack, Telegram or Discord.