CVE-2026-58263
Received Received - Intake

Mutation XSS in Jodit Editor via MathML and Style Tag Bypass

Vulnerability report for CVE-2026-58263, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: GitHub, Inc.

Description

Jodit Editor is a WYSIWYG editor with written in pure TypeScript file and image editing capabilities. In versions prior to 4.12.28, the built-in clean-html sanitizer can be bypassed by a MathML/<style> carrier that hides a dangerous element from the sanitizer's element walk, so a no-interaction event handler survives into the editor value, potentially causing Mutation XSS. When an application supplies attacker-influenced HTML to the editor's value-set or insertion paths, the sanitized output still contains a live <img ... onload=...> (or another non-onerror handler such as onfocus). A consumer that renders that output (element.innerHTML = editor.value) executes the handler with no user interaction. This issue has been fixed in version 4.12.28.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
jodit_editor jodit_editor to 4.12.28 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-83 The product does not neutralize or incorrectly neutralizes "javascript:" or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style.
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects Jodit Editor versions prior to 4.12.28. The built-in clean-html sanitizer can be bypassed using a MathML/<style> carrier that hides a dangerous element from the sanitizer's element walk. As a result, a no-interaction event handler, such as onload or onfocus on an <img> tag, can survive into the editor's value. When attacker-influenced HTML is supplied to the editor's value-set or insertion paths, the sanitized output still contains live event handlers that execute without any user interaction, potentially causing a Mutation Cross-Site Scripting (XSS) attack.

Impact Analysis

The vulnerability allows an attacker to inject malicious event handlers into the editor's content that execute automatically when the content is rendered. This can lead to unauthorized script execution in the context of the affected application without any user interaction, potentially compromising the confidentiality and integrity of data, and allowing attackers to perform actions such as stealing session tokens or manipulating the DOM.

Mitigation Strategies

To mitigate this vulnerability, upgrade Jodit Editor to version 4.12.28 or later, where the issue has been fixed.

Compliance Impact

This vulnerability allows an attacker to inject malicious event handlers into the editor's output, potentially leading to cross-site scripting (XSS) attacks without user interaction.

Such XSS vulnerabilities can lead to unauthorized access to sensitive data or manipulation of content, which may impact compliance with data protection regulations like GDPR and HIPAA that require safeguarding personal and sensitive information.

If exploited, this vulnerability could result in data breaches or unauthorized data exposure, thereby violating the confidentiality and integrity requirements mandated by these standards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58263. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart