@react-email/editor is vulnerable to Cross-Site Scripting (XSS)
59
Medium Risk
The @react-email/editor component sanitizes HTML that users paste into the rich text editor, but the paste handler has a fast-path that returns pasted markup unchanged whenever the HTML carries an editor node-* class name. Because that class marker can be embedded in untrusted content hosted elsewhere, pasting such content bypasses sanitization entirely and preserves script, iframe, object, embed, meta, and base elements as well as javascript:, vbscript:, and non-image data: URLs. This allows untrusted markup to execute arbitrary JavaScript in the origin of the application embedding the editor. The fix always runs element removal and URL scrubbing on every paste before the editor fast-path so dangerous tags and URL schemes are stripped.
You are affected if you are using a version that falls within the vulnerable range and users can paste untrusted HTML into the embedded editor.
@react-email/editor is vulnerable to Cross-Site Scripting (XSS) in versions 1.0.0 - 1.5.1.
Upgrade the @react-email/editor library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant