skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
September 9, 2022

GHSL-2022-030: Cross-Site Scripting (XSS) in Jodit Editor 3 - CVE-2022-23461

GitHub Security Lab

Coordinated Disclosure Timeline


Jodit Editor 3 is vulnerable to XSS attacks when pasting specially constructed input.


Jodit Editor 3

Tested Version



Issue: XSS in jodit editor (GHSL-2022-030)

This query highlights several locations, all of which I believe to be exploitable. I believe this is the location triggered by the PoC.


  1. Open in your browser, enter the text below in the HTML Input box:
  <meta name=Generator content="Microsoft Word 15">
  <img src="" onerror="alert(123)" />
  1. Click Copy as HTML.
  2. Go to
  3. Paste the text you copied in [3].
  4. Click Keep.
  5. JavaScript: alert(123) is executed.


This issue may lead to XSS in any webpage that uses the editor. Users who copy-paste content from a page controlled by an attacker may be vulnerable.



This issue was discovered by CodeQL team members @kaeluka (Stephan Brandauer) and @erik-krogh (Erik Krogh Kristensen), using a CodeQL query originally contributed by community member @bananabr (Daniel Santos).


You can contact the GHSL team at, please include a reference to GHSL-2022-030 in any communication regarding this issue.