Description
Versions of the package @tiptap/extension-link before 2.10.4 are vulnerable to Cross-site Scripting (XSS) due to unsanitized user input allowed in setting or toggling links.
Recommendation
Update the @tiptap/extension-link package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.10.4
- Patched version(s): 2.10.4
References
Related Issues
- Seroval affected by Denial of Service via Deeply Nested Objects - CVE-2026-24006
- Astro allows unauthorized third-party images in _image endpoint - CVE-2025-55303
- Joplin Cross-site Scripting vulnerability (GHSA-7grw-xfx6-qhx6) - CVE-2023-37298
- rgb2hex vulnerable to inefficient regular expression complexity - CVE-2018-25061
- Tags:
- npm
- @tiptap/extension-link
Anything's wrong? Let us know Last updated on December 10, 2025