Cross-Site Scripting (XSS) in Jodit Editor
Description
Jodit Editor is a WYSIWYG editor written in pure TypeScript without the use of additional libraries. Jodit Editor is vulnerable to XSS attacks when pasting specially constructed input. This issue has not been fully patched. There are no known workarounds.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
joditnpm | <= 3.24.2 | — |
Affected products
2- xdan/Jodit Editorv5Range: 3.20.4
Patches
Vulnerability mechanics
Root cause
"The editor does not properly sanitize input when pasting content, allowing for the injection of malicious scripts."
Attack vector
An attacker can craft a specially formatted input, such as an HTML snippet containing script tags, and paste it into the Jodit Editor. The editor's handling of pasted content fails to neutralize these script tags, leading to their execution in the context of the user's browser. This vulnerability is described as an XSS attack that occurs when pasting specially constructed input [ref_id=1]. The advisory notes that this issue has not been fully patched [ref_id=1].
Affected code
The vulnerability lies within the Jodit Editor's handling of pasted content. Specifically, the input sanitization process when data is inserted via pasting is insufficient to prevent the execution of arbitrary JavaScript code. The reference write-up indicates that the issue is related to pasting specially constructed input into the editor [ref_id=1].
What the fix does
The patch does not show specific code changes, but the advisory indicates that the issue has not been fully patched, implying that a complete fix is still pending. Therefore, no specific remediation details can be provided at this time. The advisory states there are no known workarounds [ref_id=1].
Preconditions
- inputSpecially crafted input containing script tags.
Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-42hx-vrxx-5r6vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-23461ghsaADVISORY
- securitylab.github.com/advisories/GHSL-2022-030_xdan_joditghsaADVISORY
- securitylab.github.com/advisories/GHSL-2022-030_xdan_jodit/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.