PatchSiren cyber security CVE debrief
CVE-2026-47110 ueberdosis CVE debrief
CVE-2026-47110 is a high-severity vulnerability in Tiptap for PHP, a popular PHP library for rich-text editing. The vulnerability allows authenticated attackers to cause a denial of service (DoS) by submitting Tiptap JSON with the attrs.href field set to an array instead of a string. This malformed input triggers an unhandled TypeError in the Link::isAllowedUri() function when passed to preg_match(), leading to a permanent crash of the server-side HTML rendering pipeline for all subsequent viewers of that record until the database entry is manually repaired. The vulnerability has a CVSS score of 7.1 and is considered high severity. The issue was published on June 24, 2026, and modified on June 30, 2026.
- Vendor
- ueberdosis
- Product
- tiptap-php
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-24
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-06-24
- Advisory updated
- 2026-06-30
Who should care
Organizations using Tiptap for PHP in their applications should prioritize patching this vulnerability to prevent potential denial-of-service attacks. This vulnerability is particularly concerning for applications that allow user-submitted content or have a high volume of authenticated users. Additionally, developers and security teams responsible for maintaining and securing PHP applications that integrate Tiptap should be aware of this issue and take immediate action to mitigate the risk.
Technical summary
The vulnerability in Tiptap for PHP (CVE-2026-47110) is caused by inadequate input validation in the Link::isAllowedUri() function. Specifically, the function fails to properly handle the attrs.href field when it is set to an array instead of a string. This leads to an unhandled TypeError when the malformed input is passed to preg_match(). The error causes the server-side HTML rendering pipeline to crash permanently for all subsequent viewers of the affected record. The vulnerability requires authentication and has a CVSS score of 7.1, indicating high severity. The issue was introduced due to insufficient validation of user-submitted JSON data, highlighting the importance of robust input validation in preventing such attacks.
Defensive priority
High priority should be given to patching CVE-2026-47110, as it allows authenticated attackers to cause a denial of service. Immediate action is recommended to prevent potential attacks.
Recommended defensive actions
- Apply the patch: Upgrade Tiptap for PHP to version 2.1.1 or later to fix the vulnerability.
- Validate user input: Ensure that all user-submitted JSON data is properly validated to prevent similar attacks in the future.
- Monitor for suspicious activity: Keep a close eye on application logs for any signs of exploitation attempts.
- Implement additional security measures: Consider implementing Web Application Firewalls (WAFs) or other security tools to detect and prevent similar attacks.
- Review and update security policies: Update security policies and procedures to reflect the importance of input validation and robust error handling.
Evidence notes
The CVE-2026-47110 vulnerability was discovered and reported by Vulncheck. The issue is tracked on GitHub and has been patched in version 2.1.1 of Tiptap for PHP. The vulnerability has a CVSS score of 7.1 and is considered high severity. The CVE record and NVD details provide additional information about the vulnerability.
Official resources
This article is AI-assisted and based on the supplied source corpus.