Cross Site Scripting vulnerability in Summernote v.0.8.18 and before allows a remote attacker to execute arbtirary code via a crafted payload to the codeview parameter.
https://github.com/summernote/summernote/pull/3782
https://gist.github.com/phoenix118go/a9192281efcfa518daa709ab7638712b