HTML comments vulnerability allowing to execute JavaScript code
Description
CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CKEditor 4 before 4.17.0 allows XSS via malformed HTML comments that bypass content sanitization.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in the core HTML processing module of CKEditor 4 versions prior to 4.17.0. The flaw allows malformed comment HTML to bypass content sanitization, potentially enabling JavaScript execution. This affects all plugins using the editor's core processing [1][2].
Exploitation
An attacker can inject specially crafted, malformed HTML comments into editor content. No authentication is required if the editor is publicly accessible, but exploitation typically relies on a victim (e.g., an administrator) viewing or processing the malicious content. The attack does not require user interaction beyond normal content rendering [1][2].
Impact
Successful exploitation leads to arbitrary JavaScript execution in the context of the victim's browser session. This can result in data theft, session hijacking, or other client-side attacks. The vulnerability is classified as XSS with a moderate severity rating [2][4].
Mitigation
The vulnerability is fixed in CKEditor 4.17.0, released November 17, 2021 [1][2]. Users should upgrade to this version or later. For those unable to upgrade, no official workaround is documented; however, Drupal (which integrates CKEditor) released corresponding patches in versions 8.9.20, 9.1.14, and 9.2.9 [4]. CKEditor 4 reached end-of-life on June 30, 2023, and later versions under the Extended Support Model (4.22.1 and below) may require a commercial license for continued security updates [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ckeditor4npm | < 4.17.0 | 4.17.0 |
ckeditor/ckeditorPackagist | < 4.17.0 | 4.17.0 |
Affected products
4- osv-coords3 versions
>= 8.9.0, < 8.9.20+ 2 more
- (no CPE)range: >= 8.9.0, < 8.9.20
- (no CPE)range: < 4.17.0
- (no CPE)range: < 4.17.0
- ckeditor/ckeditor4v5Range: < 4.17.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-7h26-63m7-qhf2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-41165ghsaADVISORY
- github.com/ckeditor/ckeditor4/blob/major/CHANGES.mdghsax_refsource_MISCWEB
- github.com/ckeditor/ckeditor4/security/advisories/GHSA-7h26-63m7-qhf2ghsax_refsource_CONFIRMWEB
- www.drupal.org/sa-core-2021-011ghsax_refsource_CONFIRMWEB
- www.oracle.com/security-alerts/cpuapr2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujul2022.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.