AIKIDO-2026-198516
jodit is vulnerable to Improper Input Validation
43
Medium Risk
This Affects:
joditTL;DR
A bypass on the sanitizer was patched to prevent stored XSS by blocking dangerous content sources that could execute attacker-controlled HTML or script, including iframe[srcdoc], data:text/html, document-context SVG data URLs, and javascript: / vbscript: schemes across all URL-bearing attributes. It still preserves safe data:image/* usage in <img>, avoiding unnecessary breakage for legitimate content. An attacker might exploit the issue by submitting crafted rich-text or HTML content that appears harmless but embeds active script through one of these previously insufficiently filtered vectors, causing malicious code to run whenever another user views the stored content.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
jodit is vulnerable to Improper Input Validation in versions 3.18.1 - 4.12.19.
How to fix this
Upgrade the jodit library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant