Key Information Vendor: CKEditor Product & Version: CKEditor with the Angular technology - CKEditor v46.1.0 & Angular v18.0.0 Affected Component: The link feature in CKEditor Vulnerabilities: Cross Site Scripting (XSS) Attack Vectors: An attacker with access to a CKEditor field could inject a link with arbitrary JavaScript which would be executed in the browser of a victim user. CVE Number: CVE-2025-61261 Vulnerability Steps Imagine injecting a link using the payload which showcases how AngularJS may sanitize certain keywords like to prevent XSS, but the keyword is not blocked. Remarks The issue is not with CKEditor itself but with AngularJS and its handling of sanitization. The keyword not being blocked is seen as a feature by the AngularJS team. References https://ckeditor.com/ https://angularjs.org/ https://github.com/angular/angular/pull/49659 https://www.cve.org/CVERecord?id=CVE-2012-1966 https://www.cve.org/CVERecord?id=CVE-2025-61261