CVE-2026-28343

Published: Mar 5, 2026Modified: Mar 19, 2026

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

CKEditor 5 is a modern JavaScript rich-text editor with an MVC architecture. Starting in version 29.0.0 and prior to version 47.6.0, a cross-site scripting (XSS) vulnerability has been discovered in the General HTML Support feature. This vulnerability could be triggered by inserting specially crafted markup, leading to unauthorized JavaScript code execution, if the editor instance used an unsafe General HTML Support configuration. This issue has been patched in version 47.6.0.

Affected (1)

Products: Ckeditor: Ckeditor5

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Ckeditor Ckeditor5	Before 47.6.0

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (3)

https://github.com/ckeditor/ckeditor5/releases/tag/v29.0.0

Source: security-advisories@github.com

https://github.com/ckeditor/ckeditor5/releases/tag/v47.6.0

Source: security-advisories@github.com

Release Notes

https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-jrqm-vmqc-gm93

Source: security-advisories@github.com

MitigationVendor Advisory

Timeline

No history available yet.