Intel

AIKIDO-2026-54895

@react-email/editor is vulnerable to Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 3 days ago

59

Medium Risk

This Affects:

JS@react-email/editor
1.0.0 - 1.5.1
Fixed in 1.5.2
Are you affected? Scan for Free

TL;DR

The @react-email/editor component sanitizes HTML that users paste into the rich text editor, but the paste handler has a fast-path that returns pasted markup unchanged whenever the HTML carries an editor node-* class name. Because that class marker can be embedded in untrusted content hosted elsewhere, pasting such content bypasses sanitization entirely and preserves script, iframe, object, embed, meta, and base elements as well as javascript:, vbscript:, and non-image data: URLs. This allows untrusted markup to execute arbitrary JavaScript in the origin of the application embedding the editor. The fix always runs element removal and URL scrubbing on every paste before the editor fast-path so dangerous tags and URL schemes are stripped.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and users can paste untrusted HTML into the embedded editor.

Background info

@react-email/editor is vulnerable to Cross-Site Scripting (XSS) in versions 1.0.0 - 1.5.1.

How to fix this

Upgrade the @react-email/editor library to the patch version.