Description
Tiptap for PHP before version 2.1.1 contains an input validation vulnerability that allows authenticated attackers to cause a denial of service by submitting Tiptap JSON with the attrs.href field set to an array instead of a string, causing an unhandled TypeError in the Link::isAllowedUri() function when passed to preg_match(). Attackers can persist malformed JSON records that permanently crash the server-side HTML rendering pipeline for all subsequent viewers of that record until the database entry is manually repaired.
Published: 2026-06-24
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Tiptap for PHP versions before 2.1.1 contain an input validation flaw that allows an authenticated user to submit Tiptap JSON with the attrs.href field set to an array instead of a string. When the library attempts to validate the href, the improperly typed value is passed to preg_match() inside Link::isAllowedUri(), resulting in an unhandled TypeError that crashes the server‑side HTML rendering pipeline. The malicious record remains stored in the database and causes a permanent denial of service for all subsequent viewers until the database entry is manually repaired.

Affected Systems

Affected systems are PHP applications that rely on the Tiptap for PHP library distributed by ueberdosis. All releases prior to v2.1.1 are vulnerable. The library is commonly used to transform Tiptap JSON documents into HTML on the server side, so any deployment incorporating a compromised version can be impacted.

Risk and Exploitability

The CVSS score of 7.1 indicates a high‑severity vulnerability. Exploitation requires authenticated access to inject the malformed JSON; however, once the payload is stored, it causes a server crash that cannot be recovered until manual cleanup. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting limited known exploitation, but the ease of crafting the payload combined with high impact makes it a significant risk for systems using pre‑2.1.1 Tiptap PHP installations.

Generated by OpenCVE AI on June 25, 2026 at 00:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Tiptap for PHP to version 2.1.1 or newer to apply the input-validation patch.
  • If an upgrade cannot be performed immediately, sanitize the attrs.href field on the server side to ensure it is a string before passing it to Link::isAllowedUri().
  • Locate and delete or correct any database entries that contain an array value for attrs.href to restore normal rendering for affected records.

Generated by OpenCVE AI on June 25, 2026 at 00:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 04:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Ueberdosis
Ueberdosis tiptap-php
Vendors & Products Ueberdosis
Ueberdosis tiptap-php

Wed, 24 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description Tiptap for PHP before version 2.1.1 contains an input validation vulnerability that allows authenticated attackers to cause a denial of service by submitting Tiptap JSON with the attrs.href field set to an array instead of a string, causing an unhandled TypeError in the Link::isAllowedUri() function when passed to preg_match(). Attackers can persist malformed JSON records that permanently crash the server-side HTML rendering pipeline for all subsequent viewers of that record until the database entry is manually repaired.
Title Tiptap for PHP < 2.1.1 DoS via Malformed href Attribute
Weaknesses CWE-241
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Ueberdosis Tiptap-php
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-07-14T21:33:03.837Z

Reserved: 2026-05-18T19:22:26.748Z

Link: CVE-2026-47110

cve-icon Vulnrichment

Updated: 2026-06-30T03:23:15.945Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:40:19Z

Weaknesses
  • CWE-241

    Improper Handling of Unexpected Data Type