Moderate severityNVD Advisory· Published Aug 7, 2014· Updated May 6, 2026

CVE-2014-5191

Description

Cross-site scripting (XSS) vulnerability in the Preview plugin before 4.4.3 in CKEditor allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
ckeditor/ckeditorPackagist	< 4.4.3	4.4.3

Affected products

Fckeditor/Ckeditor3 versions
cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:*:*:*:*range: <=4.4.2
- cpe:2.3:a:ckeditor:ckeditor:4.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:ckeditor:ckeditor:4.4.1:*:*:*:*:*:*:*

Patches

b685874c6bc8

Prevent from DOM clobbering.

https://github.com/ckeditor/ckeditor4Piotrek Reinmar KoszulińskiJul 7, 2014via ghsa

commit

1 file changed · +8 −5

plugins/preview/preview.html+8 −5 modified

@@ -1,10 +1,13 @@
 <script>
 
-var doc = document;
-doc.open();
-doc.write( window.opener._cke_htmlToLoad );
-doc.close();
+// Prevent from DOM clobbering.
+if ( typeof window.opener._cke_htmlToLoad == 'string' ) {
+	var doc = document;
+	doc.open();
+	doc.write( window.opener._cke_htmlToLoad );
+	doc.close();
 
-delete window.opener._cke_htmlToLoad;
+	delete window.opener._cke_htmlToLoad;
+}
 
 </script>

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

ckeditor.com/node/136981nvdPatchVendor AdvisoryWEB
github.com/advisories/GHSA-v27h-j97p-wqmxghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2014-5191ghsaADVISORY
github.com/ckeditor/ckeditor4/commit/b685874c6bc873a76e6e95916c43840a2b7ab08aghsaWEB
secunia.com/advisories/60036nvd
www.securityfocus.com/bid/69161nvd

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000