CVE-2026-47110
Deferred
Deferred - Pending Action
Tiptap PHP JSON Input Validation Flaw Leads to DoS
Vulnerability report for CVE-2026-47110, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-06-24
Last updated on: 2026-07-14
Assigner: VulnCheck
Description
Description
Tiptap for PHP before version 2.1.1 contains an input validation vulnerability that allows authenticated attackers to cause a denial of service by submitting Tiptap JSON with the attrs.href field set to an array instead of a string, causing an unhandled TypeError in the Link::isAllowedUri() function when passed to preg_match(). Attackers can persist malformed JSON records that permanently crash the server-side HTML rendering pipeline for all subsequent viewers of that record until the database entry is manually repaired.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-241 | The product does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z). |