Description
CKEditor 5 is a modern JavaScript rich-text editor with an MVC architecture. Starting in version 29.0.0 and prior to version 47.6.0, a cross-site scripting (XSS) vulnerability has been discovered in the General HTML Support feature. This vulnerability could be triggered by inserting specially crafted markup, leading to unauthorized JavaScript code execution, if the editor instance used an unsafe General HTML Support configuration. This issue has been patched in version 47.6.0.
Published: 2026-03-05
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting that permits arbitrary JavaScript execution within web pages that host CKEditor 5
Action: Immediate Patch
AI Analysis

Impact

This vulnerability exists in CKEditor 5’s General HTML Support feature, where an attacker can insert specially crafted markup that triggers a cross‑site scripting flaw. The injection leads to unauthorized JavaScript code execution within the context of a page hosting the editor. Such execution can facilitate data theft, session hijacking or further compromise of the hosting application.

Affected Systems

CKEditor 5 versions from 29.0.0 up to, but not including, 47.6.0 are affected. The flaw is triggered when the editor instance is configured with the unsafe General HTML Support option. The fix was introduced in CKEditor 5 version 47.6.0, which securely sanitises the passed content.

Risk and Exploitability

The CVSS score of 6.4 rates the flaw as medium severity. The EPSS score is below 1 %, indicating a low probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is through a web page that references an attacker‑crafted CKEditor instance with General HTML Support enabled; content from an untrusted source can be injected, resulting in client‑side JavaScript execution. While the risk for an unpatched system is moderate, the low exploit probability suggests that attackers will invest effort only if the vulnerability is publicly known and the target uses a vulnerable version.

Generated by OpenCVE AI on April 16, 2026 at 12:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CKEditor 5 to version 47.6.0 or later to eliminate the flaw.
  • If an upgrade is not immediately possible, disable the General HTML Support feature or strictly sanitise any content before rendering.
  • Ensure user‑generated content passed to the editor is validated or filtered to prevent XSS injection.

Generated by OpenCVE AI on April 16, 2026 at 12:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jrqm-vmqc-gm93 CKEditor 5 has Cross-site Scripting (XSS) in the HTML Support package
History

Thu, 19 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description CKEditor 5 is a modern JavaScript rich-text editor with an MVC architecture. Prior to version 47.6.0, a cross-site scripting (XSS) vulnerability has been discovered in the General HTML Support feature. This vulnerability could be triggered by inserting specially crafted markup, leading to unauthorized JavaScript code execution, if the editor instance used an unsafe General HTML Support configuration. This issue has been patched in version 47.6.0. CKEditor 5 is a modern JavaScript rich-text editor with an MVC architecture. Starting in version 29.0.0 and prior to version 47.6.0, a cross-site scripting (XSS) vulnerability has been discovered in the General HTML Support feature. This vulnerability could be triggered by inserting specially crafted markup, leading to unauthorized JavaScript code execution, if the editor instance used an unsafe General HTML Support configuration. This issue has been patched in version 47.6.0.
References

Tue, 17 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ckeditor:ckeditor5:*:*:*:*:*:*:*:*

Fri, 06 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Ckeditor
Ckeditor ckeditor5
Vendors & Products Ckeditor
Ckeditor ckeditor5

Thu, 05 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Description CKEditor 5 is a modern JavaScript rich-text editor with an MVC architecture. Prior to version 47.6.0, a cross-site scripting (XSS) vulnerability has been discovered in the General HTML Support feature. This vulnerability could be triggered by inserting specially crafted markup, leading to unauthorized JavaScript code execution, if the editor instance used an unsafe General HTML Support configuration. This issue has been patched in version 47.6.0.
Title CKEditor: Cross-site scripting (XSS) in the HTML Support package
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Ckeditor Ckeditor5
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-19T18:45:43.135Z

Reserved: 2026-02-26T18:38:13.889Z

Link: CVE-2026-28343

cve-icon Vulnrichment

Updated: 2026-03-06T17:56:12.556Z

cve-icon NVD

Status : Modified

Published: 2026-03-05T20:16:16.017

Modified: 2026-03-19T19:16:20.003

Link: CVE-2026-28343

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T12:15:35Z

Weaknesses