Vditor allows Cross-site Scripting via an attribute of an `A` element

Description

Vditor 3.10.3 allows XSS via an attribute of an A element.

NOTE: the vendor indicates that a user is supposed to mitigate this via sanitize=true.

Recommendation

No fix is available yet. Followings are affected versions:

• = 3.10.3

References

• GHSA-m5jf-8crm-r65m
• CVE-2024-34449
• CWE-79
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• vditor Vulnerable to Cross-site Scripting in SVG events - CVE-2021-4103
• DuckDB NPM packages 1.3.3 and 1.29.2 briefly compromised with malware - CVE-2025-59037
• Payload does not invalidate JWTs after log out (GHSA-5v66-m237-hwf7) 2 - CVE-2025-4643
• The AuthKit React Router Library rendered sensitive auth data in HTML - CVE-2025-55008

Tags:

npm

vditor