Browse all 19 CVE security advisories affecting ckeditor. AI-powered Chinese analysis, POCs, and references for each vulnerability.
CKEditor serves as a WYSIWYG text editor component integrated into web applications for content creation. Historically, it has been susceptible to cross-site scripting (XSS) vulnerabilities due to improper input sanitization, with several instances allowing remote code execution (RCE) through crafted payloads. Privilege escalation vulnerabilities have also been documented in certain versions. The project maintains a security-focused approach, with regular updates addressing identified flaws. While 19 CVEs exist on record, most relate to older versions; recent releases demonstrate improved security practices. The editor's extensive customization options and third-party plugin ecosystem introduce additional potential attack surfaces requiring careful configuration and maintenance to mitigate risks.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-28343 | CKEditor: Cross-site scripting (XSS) in the HTML Support package — ckeditor5CWE-79 | 6.4 | Medium | 2026-03-05 |
| CVE-2025-58064 | CKEditor is susceptible to Cross-Site Scripting (XSS) through its clipboard package — ckeditor5CWE-79 | 6.1AI | MediumAI | 2025-09-03 |
| CVE-2025-25299 | Cross-site scripting (XSS) in the real-time collaboration package — ckeditor5CWE-79 | 6.1 | - | 2025-02-20 |
| CVE-2024-45613 | CKEditor 5 has Cross-site Scripting vulnerability in the clipboard package — ckeditor5CWE-79 | 6.1AI | MediumAI | 2024-09-25 |
| CVE-2022-31175 | Cross-site scripting caused by the editor instance destroying process in ckeditor5 — ckeditor5CWE-79 | 5.8 | Medium | 2022-08-03 |
| CVE-2021-21391 | Regular expression Denial of Service in multiple packages — ckeditor5CWE-400 | 6.5 | Medium | 2021-04-29 |
| CVE-2021-21254 | Regular expression Denial of Service in Markdown plugin — ckeditor5CWE-400 | 6.5 | Medium | 2021-01-29 |
This page lists every published CVE security advisory associated with ckeditor. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.