AIKIDO-2026-615527
jodit is vulnerable to Cross-Site Scripting (XSS)
72
High Risk
This Affects:
joditTL;DR
The HTML sanitizer in jodit walks parsed content as elements, but markup smuggled as style rawtext inside a MathML or SVG foreign-content carrier is not an element during that walk and escapes cleaning. A later serialize-and-reparse hoists the hidden markup, such as an img carrying an on* handler, into a live HTML node with its event handler intact. An application that re-renders the editor value then runs attacker-supplied script with no user interaction, producing stored cross-site scripting in the default configuration. The fix removes HTML-namespace elements the parser placed inside math or svg outside integration points before the walk, including nested carriers.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range and your application re-renders editor content as HTML.
Background info
jodit is vulnerable to Cross-Site Scripting (XSS) in versions 1.0.1 - 4.12.27.
How to fix this
Upgrade the jodit library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant