AIKIDO-2026-10531
roosterjs-content-model-core is vulnerable to Cross-Site Scripting (XSS)
61
Medium Risk
This Affects:
roosterjs-content-model-coreTL;DR
Affected versions of this package do not properly validate or intercept drag-and-drop content before it is inserted into the editor, allowing potentially malicious content to be dropped and processed without a prevention hook. An attacker could exploit this by tricking a user into dragging crafted HTML or active content into the editor, which may result in unsafe content being rendered, persisted, or later executed depending on downstream sanitization and usage. The patch introduces a beforeDrop event so applications can inspect and block dangerous payloads before the drop is accepted. This reduces the risk of content injection and editor-based XSS-style attack chains.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
roosterjs-content-model-core is vulnerable to Cross-Site Scripting (XSS) in versions 8.59.1 - 9.49.0.
How to fix this
Upgrade the roosterjs-content-model-core library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant