@tiptap/extension-link vulnerable to Cross-site Scripting (XSS)

Description

Versions of the package @tiptap/extension-link before 2.10.4 are vulnerable to Cross-site Scripting (XSS) due to unsanitized user input allowed in setting or toggling links.

Recommendation

Update the @tiptap/extension-link package to the latest compatible version. Followings are version details:

• Affected version(s): < 2.10.4
• Patched version(s): 2.10.4

References

• GHSA-vhrc-hgrq-x75r
• security.snyk.io
• CVE-2025-14284
• CWE-79
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• jsondiffpatch is vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin - CVE-2025-9910
• Nuxt DevTools vulnerable to cross-site scripting (XSS) - CVE-2025-52662
• Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global varia - CVE-2025-59840
• Bootstrap vulnerable to Cross-Site Scripting (XSS) - CVE-2018-14040

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How do hackers hack websites?

CSRF, XXE, and 12 Other Security Acronyms Explained

Tags:

npm

@tiptap/extension-link