AIKIDO-2026-10656
@tiptap/static-renderer is vulnerable to Cross-Site Scripting (XSS)
61
Medium Risk
This Affects:
@tiptap/static-rendererTL;DR
The HTML-string renderer pathways serialize editor JSON and ProseMirror-backed fragments into markup strings for downstream embedding and previews. Serialized plain-text fragments and serialized HTML attributes previously interpolated raw attacker-supplied strings into attribute builders and text concatenations without contextual escaping. Untrusted document JSON describing markup-like payloads could therefore influence emitted angle brackets and quotes to introduce executable markup relative to consumer sanitization assumptions. The patch applies shared escaping helpers so emitted attributes and text-node payloads encode problematic HTML delimiter characters consistently.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
@tiptap/static-renderer is vulnerable to Cross-Site Scripting (XSS) in versions 3.0.0-next.1 - 3.22.4.
How to fix this
Upgrade the @tiptap/static-renderer library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant