CVE-2025-14284

A flaw was found in @tiptap/extension-link. This vulnerability allows an attacker to execute arbitrary JavaScript JS code via unsanitized user input when setting or toggling links, by injecting a javascript: Uniform Resource Locator URL payload. Mitigation Mitigation for this issue is either not...

Cross-site Scripting (XSS)

@tiptap/extension-link is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to unsanitized user input in link-setting functionality, allowing attackers to inject javascript: URLs that execute arbitrary JavaScript when interacted with...

EUVD-2025-201879

@tiptap/extension-link vulnerable to Cross-site Scripting XSS...

GHSA-VHRC-HGRQ-X75R @tiptap/extension-link vulnerable to Cross-site Scripting (XSS)

Versions of the package @tiptap/extension-link before 2.10.4 are vulnerable to Cross-site Scripting XSS due to unsanitized user input allowed in setting or toggling links. An attacker can execute arbitrary JavaScript code in the context of the application by injecting a javascript: URL payload in...

@10play/tentap-editor (>=0.5.27 <=0.7.5-alpha.0), @adminjs/design-system (>=3.0.0 <=4.0.3) +131 more potentially affected by CVE-2025-14284 via @tiptap/extension-link (>=2.0.0-beta.18 <=2.10.3)

@tiptap/extension-link NPM version =2.0.0-beta.18, =0.5.27, =3.0.0, =0.4.1, =3.0.0-alpha.1, =0.0.1, =0.2.1, =0.2.0, =0.1.0, =0.28.0, =3.4.0, =1.2.0, =0.0.3, =0.4.1 and more Source cves: CVE-2025-14284 Source advisory: OSV:GHSA-VHRC-HGRQ-X75R...

CVE-2025-14284

Versions of the package @tiptap/extension-link before 2.10.4 are vulnerable to Cross-site Scripting XSS due to unsanitized user input allowed in setting or toggling links. An attacker can execute arbitrary JavaScript code in the context of the application by injecting a javascript: URL payload in...

CVE-2025-14284

Versions of the package @tiptap/extension-link before 2.10.4 are vulnerable to Cross-site Scripting XSS due to unsanitized user input allowed in setting or toggling links. An attacker can execute arbitrary JavaScript code in the context of the application by injecting a javascript: URL payload in...

CVE-2025-14284

Versions of the package @tiptap/extension-link before 2.10.4 are vulnerable to Cross-site Scripting XSS due to unsanitized user input allowed in setting or toggling links. An attacker can execute arbitrary JavaScript code in the context of the application by injecting a javascript: URL payload in...

CVE-2025-14284

The CVE-2025-14284 entry applies to the @tiptap/extension-link package, specifically versions before 2.10.4. The issue is Cross-site Scripting (XSS) caused by unsanitized user input when setting or toggling links, allowing an attacker to inject a javascript: URL payload that can execute arbitrary...

PT-2025-49800

Name of the Vulnerable Software and Affected Versions @tiptap/extension-link versions prior to 2.10.4 Description The @tiptap/extension-link package is susceptible to Cross-site Scripting XSS because of unsanitized user input when setting or toggling links. An attacker can inject a javascript: UR...

org.webjars.npm:tiptap__extension-link (>=2.0.0-beta.199 <=2.0.0-beta.202) potentially affected by CVE-2025-8101 via org.webjars.npm:linkifyjs (=4.0.0-beta.6)

org.webjars.npm:linkifyjs MAVEN version =4.0.0-beta.6 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:linkifyjs and may be impacted: - org.webjars.npm:tiptapextension-link =2.0.0-beta.199, =2.0.0-beta.202 Source cves: CVE-2025-8101 Sour...

@10play/tentap-editor (>=0.5.27 <=0.7.5-alpha.0), @adminjs/design-system (>=3.0.0 <=4.0.3) +131 more potentially affected by CVE-2025-14284 via @tiptap/extension-link (>=2.0.0-beta.18 <=2.10.3)

@tiptap/extension-link NPM version =2.0.0-beta.18, =0.5.27, =3.0.0, =0.4.1, =3.0.0-alpha.1, =0.0.1, =0.2.1, =0.2.0, =0.1.0, =0.28.0, =3.4.0, =1.2.0, =0.0.3, =0.4.1 and more Source cves: CVE-2025-14284 Source advisory: SNYK:JS-TIPTAPEXTENSIONLINK-14222197...