Volerion logoVolerion
Volerion logoVolerion

CKEditor 5 General HTML Support Cross-Site Scripting Vulnerability

Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in CKEditor 5 versions prior to 47.6.0, within the General HTML Support feature. This issue arises when an editor instance is configured to allow unsafe markup, enabling the execution of unauthorized JavaScript code. The vulnerability can be exploited by inserting specially crafted markup, but only if the General HTML Support feature is enabled and configured to accept unsafe content.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Remediation

Users can update CKEditor 5 to version 47.6.0 or later to address this vulnerability. For those using the General HTML Support feature, it is recommended to configure it securely to prevent the acceptance of unsafe content.

Added: Mar 5, 2026, 8:19 PM
Updated: Mar 5, 2026, 8:19 PM

Vulnerability Rating

Custom Algorithm
spread
5.4
impact
1.7
exploitability
3.3
remediation
8.3
relevance
3.5
threat
0.0
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.