CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-54756

unknowncovered by 1 sourcefirst seen 2026-07-01
Jodit Editor is a WYSIWYG editor with written in pure TypeScript file and image editing capabilities. In versions prior to 4.12.18, Jodit.configure(options) — and the internal ConfigMerge / ConfigProto helpers — merged user-supplied options into the editor configuration without filtering prototype-mutating keys, potentially causing a Prototype Pollution vulnerability. A payload nested under an existing plain-object option such as controls could reach and mutate Object.prototype. Applications that pass user-controlled or partially user-controlled configuration into Jodit.configure() may be vulnerable. This issue was fixed in version 4.12.18.

⚡ Watch CVE-2026-54756

Get an email if CVE-2026-54756 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-54756

CVE.org record

Embed the live status

CVE-2026-54756 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-54756 status](https://www.csirts.com/badge/CVE-2026-54756)](https://www.csirts.com/cve/CVE-2026-54756)