CVE-2026-28343— CKEditor: Cross-site scripting (XSS) in the HTML Support package

CKEditor: Cross-site scripting (XSS) in the HTML Support package

CKEditor 5 is a modern JavaScript rich-text editor with an MVC architecture. Starting in version 29.0.0 and prior to version 47.6.0, a cross-site scripting (XSS) vulnerability has been discovered in the General HTML Support feature. This vulnerability could be triggered by inserting specially crafted markup, leading to unauthorized JavaScript code execution, if the editor instance used an unsafe General HTML Support configuration. This issue has been patched in version 47.6.0.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

CKEditor 跨站脚本漏洞

CKEditor是CKEditor开源的一个企业级 WYSIWYG 编辑器。 CKEditor 5 47.6.0之前版本存在跨站脚本漏洞，该漏洞源于General HTML Support功能存在跨站脚本，可能导致执行未经授权的JavaScript代码。

N/A

N/A