Security Advisory - Published 2026-06-25 - Tiptap PHP

Tiptap for PHP CVE-2026-47110: check stored editor JSON and rendering errors

CVE-2026-47110 affects Tiptap for PHP before 2.1.1. The issue can break server-side rendering for stored editor records. Patch the library, then review which users can save rich-text JSON and which records are causing rendering errors.

Defensive scope: review your own PHP application and database. This page avoids malformed JSON examples and public testing steps.

CVE summary

CVEProductAffectedCVSS
CVE-2026-47110Tiptap for PHP< 2.1.17.1

Owner self-check

composer show ueberdosis/tiptap-php 2>/dev/null
grep -Rni 'ueberdosis/tiptap-php\\|Tiptap\\|Link::isAllowedUri\\|rendered HTML\\|editor JSON' composer.json composer.lock app src storage logs 2>/dev/null | tail -220
grep -Rni 'TypeError\\|preg_match\\|href\\|tiptap' storage/logs logs var/log 2>/dev/null | tail -160

What to review

  • Tiptap for PHP version and whether 2.1.1 or newer is deployed.
  • Models, CMS fields, comments, tickets, or documents storing Tiptap JSON.
  • Authenticated users who can edit rich text and recent records that trigger rendering errors.
  • Application error logs showing repeated TypeError or rendering failures.

Safe fix path

  1. Upgrade Tiptap for PHP to 2.1.1 or newer.
  2. Preserve failing records before repair so the affected editor path can be confirmed.
  3. Temporarily limit rich-text editing to trusted users if errors are active.
  4. Repair malformed stored records after the library is patched.

Repair help

Use Ping7 CVE Repair when PHP rendering errors are breaking public pages or stored editor records need safe cleanup.

References

Author: Ping7 security team - Published: 2026-06-25 - Tiptap PHP CVE - Defensive self-check only.