CVE-2022-23474
MEDIUMEditor.js < 2.26.0 - Code Injection via Pasted Input
Title source: llmDescription
Editor.js is a block-style editor with clean JSON output. Versions prior to 2.26.0 are vulnerable to Code Injection via pasted input. The processHTML method passes pasted input into wrapper’s innerHTML. This issue is patched in version 2.26.0.
References (2)
Core 2
Core References
Exploit, Patch, Third Party Advisory x_refsource_confirm
https://securitylab.github.com/advisories/GHSL-2022-028_codex-team_editor_js/
Exploit, Patch, Third Party Advisory x_refsource_misc
https://github.com/codex-team/editor.js/pull/2100
Scores
CVSS v3
6.1
EPSS
0.0053
EPSS Percentile
40.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
CWE-94
Status
published
Products (2)
codex/editor.js
< 2.26.0
editorjs/editorjs
0 - 2.26.0npm
Published
Dec 15, 2022
Tracked Since
Feb 18, 2026