Intel

AIKIDO-2026-734991

jodit is vulnerable to Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS)GHSA-j839-gqq4-gf9j Published Jun 26, 2026

54

Medium Risk

This Affects:

JSjodit
1.0.1 - 4.12.30
Fixed in 4.12.31
Are you affected? Scan for Free

TL;DR

The HTML sanitizer in jodit checks an element's href for executable schemes with a bare case-sensitive comparison that does not strip control bytes, tabs, or newlines, unlike the normalization applied to every other URL attribute. An attacker can store a javascript: link obfuscated with uppercase letters, a leading control byte, or an embedded tab or newline so it survives sanitization and persists in the stored editor value. When another user clicks the link in any view that renders that stored content, the attacker-controlled script executes in the page's origin. The fix routes href through the same isDangerousUrl normalization that strips control characters and lowercases the value before matching the scheme.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application renders stored editor content where a user can click an attacker-supplied link.

Background info

jodit is vulnerable to Cross-Site Scripting (XSS) in versions 1.0.1 - 4.12.30.

How to fix this

Upgrade the jodit library to the patch version.