CVE-2026-28343
CKEditor: Cross-site scripting (XSS) in the HTML Support package
CVSS Score
6.4
EPSS Score
0.0%
EPSS Percentile
0th
CKEditor 5 is a modern JavaScript rich-text editor with an MVC architecture. Starting in version 29.0.0 and prior to version 47.6.0, a cross-site scripting (XSS) vulnerability has been discovered in the General HTML Support feature. This vulnerability could be triggered by inserting specially crafted markup, leading to unauthorized JavaScript code execution, if the editor instance used an unsafe General HTML Support configuration. This issue has been patched in version 47.6.0.
| CWE | CWE-79 |
| Vendor | ckeditor |
| Product | ckeditor5 |
| Published | Mar 5, 2026 |
| Last Updated | Mar 19, 2026 |
Stay Ahead of the Next One
Get instant alerts for ckeditor ckeditor5
Be the first to know when new medium vulnerabilities affecting ckeditor ckeditor5 are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Affected Versions
ckeditor / ckeditor5
>= 29.0.0, < 47.6.0