Vulnerability DatabaseCVE-2026-47110
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-47110
Published:June 24, 2026
Updated:June 29, 2026
Tiptap for PHP before version 2.1.1 contains an input validation vulnerability that allows authenticated attackers to cause a denial of service by submitting Tiptap JSON with the attrs.href field set to an array instead of a string, causing an unhandled TypeError in the Link::isAllowedUri() function when passed to preg_match(). Attackers can persist malformed JSON records that permanently crash the server-side HTML rendering pipeline for all subsequent viewers of that record until the database entry is manually repaired.
Affected Packages
https://github.com/ueberdosis/tiptap-php.git (GITHUB):
Affected version(s) >=1.0.0 <2.1.1
Fix Suggestion:
Update to version 2.1.1
ueberdosis/tiptap-php (PHP):
Affected version(s) >=dev-feature/add-font-family-extension <2.1.1
Fix Suggestion:
Update to version 2.1.1
Related Resources (4)
https://github.com/ueberdosis/tiptap-php/commit/74bfb7be1c8c6102b240f3879b7f984a6ab87b97
https://github.com/ueberdosis/tiptap-php/releases/tag/2.1.1
https://github.com/ueberdosis/tiptap-php/pull/94
https://www.vulncheck.com/advisories/tiptap-for-php-dos-via-malformed-href-attribute
Do you need more information?
Contact Us
CVSS v4
Base Score:
7.1
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
NONE
Availability
HIGH
Weakness Type (CWE)
Improper Handling of Unexpected Data Type
CWE-241
EPSS
Base Score:
0.30