Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-47110— Tiptap for PHP < 2.1.1 DoS via Malformed href Attribute

CVSS 6.5 · Medium EPSS 0.30% · P22

Possible ATT&CK Techniques 1AI

T1499 · Endpoint Denial of Service

Affected Version Matrix 1

VendorProductVersion RangeStatus
ueberdosistiptap-php< 2.1.1affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-47110

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Tiptap for PHP < 2.1.1 DoS via Malformed href Attribute
Source: NVD (National Vulnerability Database)
Vulnerability Description
Tiptap for PHP before version 2.1.1 contains an input validation vulnerability that allows authenticated attackers to cause a denial of service by submitting Tiptap JSON with the attrs.href field set to an array instead of a string, causing an unhandled TypeError in the Link::isAllowedUri() function when passed to preg_match(). Attackers can persist malformed JSON records that permanently crash the server-side HTML rendering pipeline for all subsequent viewers of that record until the database entry is manually repaired.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
非预期数据类型处理不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Tiptap 输入验证错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Tiptap Tiptap是Tiptap组织开源的一个开源的无头编辑器框架,提供 100+ 扩展及协作、AI 智能体、文档转换等付费功能,帮助开发者快速构建自定义的富文本编辑器。 Tiptap 2.1.1之前版本存在输入验证错误漏洞,该漏洞源于输入验证存在缺陷,可能导致经过身份验证的攻击者通过提交包含特制attrs.href字段的Tiptap JSON,触发Link::isAllowedUri()函数中的未处理类型错误,从而造成拒绝服务。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
ueberdosistiptap-php 0 ~ 2.1.1 -

II. Public POCs for CVE-2026-47110

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-47110

登录查看更多情报信息。

Patches & Fixes for CVE-2026-47110 (2)

Vendor Advisories for CVE-2026-47110 (1)

IV. Related Vulnerabilities

V. Comments for CVE-2026-47110

No comments yet


Leave a comment