Ckeditor Ckeditor5 vulnerabilities
9 known vulnerabilities affecting ckeditor/ckeditor5.
Total CVEs
9
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
MEDIUM7LOW2
Vulnerabilities
Page 1 of 1
CVE-2022-48110P3MEDIUMPoC≥ 0, < 36.0.02023-02-13
CVE-2022-48110 [MEDIUM] CWE-79 Cross-site scripting in CKEditor5
Cross-site scripting in CKEditor5
CKSource CKEditor5 35.4.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Full Featured CKEditor5 widget.
NOTE: the vendor's position is that this is not a vulnerability. The CKEditor 5 documentation discusses that it is the responsibility of an integrator (who is adding CKEditor 5 functionality to a website) to choose the correct security settings for their use case.
ghsa
CVE-2021-21254P4MEDIUMCVSS 6.5fixed in 25.0.02021-01-29
CVE-2021-21254 [MEDIUM] CWE-400 CVE-2021-21254: CKEditor 5 is an open source rich text editor framework with a modular architecture. The CKEditor 5
CKEditor 5 is an open source rich text editor framework with a modular architecture. The CKEditor 5 Markdown plugin (@ckeditor/ckeditor5-markdown-gfm) before version 25.0.0 has a regex denial of service (ReDoS) vulnerability. The vulnerability allowed to abuse link recognition regular expression, which could cause a significant performance drop resul
nvd
CVE-2021-21391P4MEDIUMCVSS 6.5fixed in 27.0.02021-04-29
CVE-2021-21391 [MEDIUM] CWE-400 CVE-2021-21391: CKEditor 5 provides a WYSIWYG editing solution. This CVE affects the following npm packages: ckedito
CKEditor 5 provides a WYSIWYG editing solution. This CVE affects the following npm packages: ckeditor5-engine, ckeditor5-font, ckeditor5-image, ckeditor5-list, ckeditor5-markdown-gfm, ckeditor5-media-embed, ckeditor5-paste-from-office, and ckeditor5-widget. Following an internal audit, a regular expression denial of service (ReDoS) vulnerability has
nvd
CVE-2026-28343P4MEDIUMCVSS 6.1fixed in 47.6.0v>= 29.0.0, < 47.6.02026-03-05
CVE-2026-28343 [MEDIUM] CWE-79 CVE-2026-28343: CKEditor 5 is a modern JavaScript rich-text editor with an MVC architecture. Starting in version 29.
CKEditor 5 is a modern JavaScript rich-text editor with an MVC architecture. Starting in version 29.0.0 and prior to version 47.6.0, a cross-site scripting (XSS) vulnerability has been discovered in the General HTML Support feature. This vulnerability could be triggered by inserting specially crafted markup, leading to unauthorized JavaScript code ex
ghsanvdosv
CVE-2024-45613P4MEDIUMCVSS 6.1≥ 40.0.0, < 43.1.1v>= 40.0.0, < 43.1.12024-09-25
CVE-2024-45613 [MEDIUM] CWE-79 CVE-2024-45613: CKEditor 5 is a JavaScript rich-text editor. Starting in version 40.0.0 and prior to version 43.1.1,
CKEditor 5 is a JavaScript rich-text editor. Starting in version 40.0.0 and prior to version 43.1.1, a Cross-Site Scripting (XSS) vulnerability is present in the CKEditor 5 clipboard package. This vulnerability could be triggered by a specific user action, leading to unauthorized JavaScript code execution, if the attacker managed to insert a maliciou
ghsanvdosv
CVE-2025-61261P4MEDIUMCVSS 5.4v46.1.02025-11-07
CVE-2025-61261 [MEDIUM] CWE-79 CVE-2025-61261: A reflected cross-site scripting (XSS) vulnerability in CKeditor v46.1.0 & Angular v18.0.0 allows at
A reflected cross-site scripting (XSS) vulnerability in CKeditor v46.1.0 & Angular v18.0.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.
nvd
CVE-2022-31175P4MEDIUMCVSS 4.7fixed in 35.0.12022-08-03
CVE-2022-31175 [MEDIUM] CWE-79 CVE-2022-31175: CKEditor 5 is a JavaScript rich text editor. A cross-site scripting vulnerability has been discovere
CKEditor 5 is a JavaScript rich text editor. A cross-site scripting vulnerability has been discovered affecting three optional CKEditor 5's packages in versions prior to 35.0.1. The vulnerability allowed to trigger a JavaScript code after fulfilling special conditions. The affected packages are `@ckeditor/ckeditor5-markdown-gfm`, `@ckeditor/ckeditor5
nvd
CVE-2025-58064P4LOWCVSS 2.3v>= 46.0.0, < 46.0.3v>= 44.2.0, < 45.2.22025-09-04
CVE-2025-58064 [LOW] CWE-79 CVE-2025-58064: CKEditor 5 is a modern JavaScript rich-text editor with an MVC architecture. ckeditor5 and ckeditor5
CKEditor 5 is a modern JavaScript rich-text editor with an MVC architecture. ckeditor5 and ckeditor5-clipboard versions 46.0.0 through 46.0.2 and 44.2.0 through 45.2.1 contain a Cross-Site Scripting (XSS) vulnerability. Ability to exploit could be triggered by a specific user action (leading to unauthorized JavaScript code execution) if the attacker man
ghsanvdosv
CVE-2025-25299P4LOWCVSS 2.3v@ckeditor/ckeditor5-real-time-collaboration: >= 41.3.0, < 44.2.1vckeditor5-premium-features: >= 42.0.0, < 44.2.12025-02-20
CVE-2025-25299 [LOW] CWE-79 CVE-2025-25299: CKEditor 5 is a modern JavaScript rich-text editor with an MVC architecture. During a recent interna
CKEditor 5 is a modern JavaScript rich-text editor with an MVC architecture. During a recent internal audit, a Cross-Site Scripting (XSS) vulnerability was discovered in the CKEditor 5 real-time collaboration package. This vulnerability affects user markers, which represent users' positions within the document. It can lead to unauthorized JavaScript cod
nvd