Advanced Content Filter (ACF) vulnerability allowing to execute JavaScript code using malformed HTML
Description
CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CKEditor 4 prior to 4.17.0 allows JavaScript execution via malformed HTML that bypasses content sanitization in the Advanced Content Filter module.
Vulnerability
CKEditor 4 versions below 4.17.0 contain a vulnerability in the Advanced Content Filter (ACF) module that allows malformed HTML to bypass content sanitization. This issue affects all plugins used by CKEditor 4 [1][2][3]. The vulnerability was discovered and reported to the vendor, with a fix released in version 4.17.0 [1].
Exploitation
An attacker can inject malformed HTML that bypasses the ACF sanitization, potentially leading to execution of JavaScript code. No authentication or special privileges are required if the editor is used in a context where users can submit content. The malformed HTML is crafted to evade the filter's parsing logic [1][3].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of a victim's browser, leading to cross-site scripting (XSS). This can result in information disclosure, session hijacking, or other malicious actions performed on behalf of the victim [1][3].
Mitigation
The vulnerability is patched in CKEditor 4 version 4.17.0 [1]. Users should upgrade to at least this version. For later versions, the open-source edition reached end-of-life on June 30, 2023, but the CKEditor 4 LTS commercial edition continues to receive security updates until December 2028 [2]. If upgrading is not immediately possible, ensure that the environment where CKEditor 4 is used does not allow untrusted users to input content [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ckeditor4npm | < 4.17.0 | 4.17.0 |
Affected products
3- osv-coords2 versions
>= 8.9.0, < 8.9.20+ 1 more
- (no CPE)range: >= 8.9.0, < 8.9.20
- (no CPE)range: < 4.17.0
- ckeditor/ckeditor4v5Range: < 4.17.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
12- github.com/advisories/GHSA-pvmx-g8h5-cprjghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP/mitrevendor-advisory
- nvd.nist.gov/vuln/detail/CVE-2021-41164ghsaADVISORY
- github.com/ckeditor/ckeditor4/blob/major/CHANGES.mdghsaWEB
- github.com/ckeditor/ckeditor4/security/advisories/GHSA-pvmx-g8h5-cprjghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJPghsaWEB
- www.drupal.org/sa-core-2021-011ghsaWEB
- www.oracle.com/security-alerts/cpuapr2022.htmlghsaWEB
- www.oracle.com/security-alerts/cpujan2022.htmlghsaWEB
- www.oracle.com/security-alerts/cpujul2022.htmlghsaWEB
News mentions
0No linked articles in our index yet.