Description
Versions of the package @tiptap/extension-link before 2.10.4 are vulnerable to Cross-site Scripting (XSS) due to unsanitized user input allowed in setting or toggling links.
Recommendation
Update the @tiptap/extension-link package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.10.4
- Patched version(s): 2.10.4
References
Related Issues
- Nuxt DevTools vulnerable to cross-site scripting (XSS) - CVE-2025-52662
- jsondiffpatch is vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin - CVE-2025-9910
- Solid Lacks Escaping of HTML in JSX Fragments allows for Cross-Site Scripting (XSS) - CVE-2025-27109
- tarteaucitron Cross-site Scripting (XSS) - CVE-2025-1467
- Tags:
- npm
- @tiptap/extension-link
Anything's wrong? Let us know Last updated on December 10, 2025