Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Mon, 06 Jul 2026 23:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Xdan
Xdan jodit |
|
| Vendors & Products |
Xdan
Xdan jodit |
Thu, 02 Jul 2026 15:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 01 Jul 2026 21:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Jodit Editor is a WYSIWYG editor with written in pure TypeScript file and image editing capabilities. In versions prior to 4.12.18, Jodit.configure(options) — and the internal ConfigMerge / ConfigProto helpers — merged user-supplied options into the editor configuration without filtering prototype-mutating keys, potentially causing a Prototype Pollution vulnerability. A payload nested under an existing plain-object option such as controls could reach and mutate Object.prototype. Applications that pass user-controlled or partially user-controlled configuration into Jodit.configure() may be vulnerable. This issue was fixed in version 4.12.18. | |
| Title | Jodit Editor: Prototype pollution via Jodit.configure() / ConfigMerge | |
| Weaknesses | CWE-1321 | |
| References |
| |
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-02T14:41:32.037Z
Reserved: 2026-06-15T23:12:41.965Z
Link: CVE-2026-54756
Updated: 2026-07-02T14:41:24.117Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-08T01:30:04Z