CVE-2026-58263
Jodit Editor: Mutation XSS in jodit clean-html via a MathML/style rawtext carrier
Jodit Editor is a WYSIWYG editor with written in pure TypeScript file and image editing capabilities. In versions prior to 4.12.28, the built-in clean-html sanitizer can be bypassed by a MathML/<style> carrier that hides a dangerous element from the sanitizer's element walk, so a no-interaction event handler survives into the editor value, potentially causing Mutation XSS. When an application supplies attacker-influenced HTML to the editor's value-set or insertion paths, the sanitized output still contains a live <img ... onload=...> (or another non-onerror handler such as onfocus). A consumer that renders that output (element.innerHTML = editor.value) executes the handler with no user interaction. This issue has been fixed in version 4.12.28.
| CWE | CWE-79 CWE-83 |
| Vendor | xdan |
| Product | jodit |
| Published | Jul 1, 2026 |
| Last Updated | Jul 2, 2026 |
Get instant alerts for xdan jodit
Be the first to know when new high vulnerabilities affecting xdan jodit are published โ delivered to Slack, Telegram or Discord.
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N