Search for packages
| purl | pkg:npm/react-draft-wysiwyg@1.14.6 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-kn6n-rqhg-rbdy
Aliases: CVE-2025-3191 GHSA-fq5x-7292-2p5r |
React Draft Wysiwyg Cross-Site Scripting (XSS) via the Embedded Button All versions of the package react-draft-wysiwyg are vulnerable to Cross-site Scripting (XSS) via the Embedded button which will then result in saving the payload in the <iframe> tag. | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-zvch-wnmr-gyab | Cross-site Scripting react-draft-wysiwyg (aka React Draft Wysiwyg) allows a javascript: URi in a Link Target of the link decorator in decorators/Link/index.js when a draft is shared across users, leading to XSS. |
CVE-2021-31712
GHSA-qcg2-h349-vwm3 |
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-06T05:45:55.550766+00:00 | GitLab Importer | Affected by | VCID-kn6n-rqhg-rbdy | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/react-draft-wysiwyg/CVE-2025-3191.yml | 38.6.0 |
| 2026-06-04T17:34:52.990647+00:00 | GithubOSV Importer | Fixing | VCID-zvch-wnmr-gyab | https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-qcg2-h349-vwm3/GHSA-qcg2-h349-vwm3.json | 38.6.0 |
| 2026-06-04T16:21:06.272653+00:00 | GitLab Importer | Fixing | VCID-zvch-wnmr-gyab | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/react-draft-wysiwyg/CVE-2021-31712.yml | 38.6.0 |