CVE-2018-9861
Description
A stored XSS vulnerability in CKEditor's Enhanced Image plugin allows remote attackers to inject arbitrary web script via a crafted IMG element.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored XSS vulnerability in CKEditor's Enhanced Image plugin allows remote attackers to inject arbitrary web script via a crafted IMG element.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in the Enhanced Image (image2) plugin of CKEditor versions 4.5.10 through 4.9.1. The issue allows remote attackers to inject arbitrary web script through a specially crafted IMG element. This affects Drupal 8 core before 8.4.7 and 8.5.x before 8.5.2, as well as other products embedding the vulnerable CKEditor plugin [1][2][4].
Exploitation
An attacker requires the ability to insert a crafted IMG element into content processed by CKEditor's Enhanced Image plugin. The attack can be performed remotely, without authentication, if the application allows users to submit rich text content. The malicious payload is executed when a victim views the crafted content in a browser [1][2].
Impact
Successful exploitation results in arbitrary JavaScript execution in the context of the victim's session. This can lead to session hijacking, data theft, defacement, or other actions that the application's user interface permits [1].
Mitigation
CKEditor released version 4.9.2 which fixes the vulnerability. Drupal users should update to core 8.4.7 or 8.5.2, or apply the contributed module security update provided by the Drupal security team. If immediate patching is not possible, administrators may consider disabling the Enhanced Image plugin as a temporary workaround [1][3][4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
drupal/corePackagist | >= 8.5.0, < 8.5.2 | 8.5.2 |
ckeditor-devnpm | >= 4.5.10, < 4.9.2 | 4.9.2 |
drupal/corePackagist | >= 8.0, < 8.4.7 | 8.4.7 |
drupal/drupalPackagist | >= 8.0, < 8.4.7 | 8.4.7 |
drupal/drupalPackagist | >= 8.5, < 8.5.2 | 8.5.2 |
Affected products
3- ghsa-coords3 versions
>= 8.5.0, < 8.5.2+ 2 more
- (no CPE)range: >= 8.5.0, < 8.5.2
- (no CPE)range: >= 8.0, < 8.4.7
- (no CPE)range: >= 4.5.10, < 4.9.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-g78h-pf65-46rvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-9861ghsaADVISORY
- www.securityfocus.com/bid/103924ghsavdb-entryx_refsource_BIDWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2018-9861.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2018-9861.yamlghsaWEB
- github.com/ckeditor/ckeditor-dev/blob/master/CHANGES.mdghsax_refsource_CONFIRMWEB
- www.drupal.org/sa-core-2018-003ghsax_refsource_CONFIRMWEB
- www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.