Improper Handling of Unexpected Data Type Affecting ueberdosis/tiptap-php package, versions <2.1.1


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.31% (23rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PHP-UEBERDOSISTIPTAPPHP-17660529
  • published27 Jun 2026
  • disclosed24 Jun 2026
  • creditUnknown

Introduced: 24 Jun 2026

NewCVE-2026-47110  (opens in a new tab)
CWE-241  (opens in a new tab)

How to fix?

Upgrade ueberdosis/tiptap-php to version 2.1.1 or higher.

Overview

Affected versions of this package are vulnerable to Improper Handling of Unexpected Data Type via the Link::isAllowedUri function when processing Tiptap JSON containing an attrs.href field set to an array instead of a string. An attacker can cause persistent server-side crashes by submitting malformed JSON records, resulting in denial of service for all subsequent viewers of the affected record until manual database repair is performed.

CVSS Base Scores

version 4.0
version 3.1