CVE-2023-41592
Description
Froala Editor versions 4.0.1 through 4.1.1 contain a stored cross-site scripting (XSS) vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Froala Editor versions 4.0.1 through 4.1.1 contain a stored cross-site scripting (XSS) vulnerability.
Vulnerability
Overview Froala Editor, a popular JavaScript WYSIWYG HTML editor, versions 4.0.1 through 4.1.1 are vulnerable to a cross-site scripting (XSS) flaw [4]. The vulnerability stems from insufficient sanitization of user-supplied content, allowing arbitrary HTML and JavaScript to be injected into the editor's output [1].
Exploitation
An attacker can exploit this by crafting malicious input that, when rendered by the editor, executes scripts in the context of the victim's browser. No authentication is required if the editor is publicly accessible; the attack can be delivered via any content field using the editor, such as comments or posts [4].
Impact
Successful exploitation enables an attacker to perform actions on behalf of the victim, steal session cookies, deface web pages, or redirect users to malicious sites. This is a classic stored XSS scenario with high potential for harm [1][4].
Mitigation
The issue is resolved in Froala Editor version 4.1.4, as noted in the official changelog [1]. Users are strongly advised to upgrade immediately. No workarounds are documented.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
froala/wysiwyg-editorPackagist | >= 4.0.1, < 4.1.4 | 4.1.4 |
froala-editornpm | >= 4.0.1, < 4.1.4 | 4.1.4 |
Affected products
3- Froala/Froala Editordescription
- ghsa-coords2 versions
>= 4.0.1, < 4.1.4+ 1 more
- (no CPE)range: >= 4.0.1, < 4.1.4
- (no CPE)range: >= 4.0.1, < 4.1.4
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users [CWE-79]."
Attack vector
An attacker can inject malicious script tags into the Froala Editor's input fields. Since the input is not properly sanitized, these script tags are rendered directly into the HTML output. This allows an attacker to execute arbitrary JavaScript code in the context of a victim's browser session [ref_id=1]. The vulnerability is present in versions v4.0.1 to v4.1.1 of the Froala Editor.
Affected code
The vulnerability lies within the Froala Editor's handling of user-provided input, specifically how it processes and renders HTML content. Versions v4.0.1 to v4.1.1 are affected by this improper neutralization of input, leading to cross-site scripting [ref_id=1].
What the fix does
The advisory does not specify a patch or provide details on how the vulnerability is fixed. Users are advised to update to a version of the Froala Editor that addresses this vulnerability. The exact version with the fix is not specified in the provided information.
Preconditions
- inputThe attacker must be able to inject script tags into the Froala Editor's input fields.
Generated on Jun 6, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/advisories/GHSA-hvpq-7vcc-5hj5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-41592ghsaADVISORY
- froala.com/wysiwyg-editor/changelog/ghsaWEB
- github.com/froala/wysiwyg-editor/issues/4612ghsaWEB
- hacker.soarescorp.com/cve/2023-41592ghsaWEB
- owasp.org/Top10/A03_2021-InjectionghsaWEB
- owasp.org/www-project-top-tenghsaWEB
- hacker.soarescorp.com/cve/2023-41592/mitre
- owasp.org/Top10/A03_2021-Injection/mitre
- owasp.org/www-project-top-ten/mitre
News mentions
0No linked articles in our index yet.