CVE-2022-48110

Vulnerability

Overview CVE-2022-48110 describes a potential cross-site scripting (XSS) risk in CKEditor 5 version 35.4.0 when using the Full Featured configuration. The issue arises from the HTML embed feature, which allows editors to insert arbitrary HTML snippets, including `` tags, into content [1]. Unlike other features that enforce content filtering, the HTML embed feature is designed to bypass CKEditor 5's built-in filtering mechanisms, making it a powerful tool for advanced users [1].

Exploitation

Context Exploitation requires an integrator to enable the HTML embed feature and configure it with unsafe settings. Specifically, if config.htmlEmbed.showPreviews is set to true, a preview of the embedded HTML is rendered, including potentially malicious scripts [3]. An attacker with edit access could then inject HTML containing JavaScript. The attack vector is stored—the malicious payload persists in the editor content and executes when a viewer (e.g., an administrator) loads a preview or the published content [1].

Impact and

Vendor Position If exploited, an attacker could execute arbitrary JavaScript in the context of the user viewing the content, leading to session hijacking, data theft, or defacement. The vendor, CKSource, maintains that this is not a vulnerability in CKEditor 5 itself, but rather a consequence of integrator choices [3]. The documentation explicitly states that integrators must select security settings appropriate for their use case, and the default setting (showPreviews: false) is safe [1][3].

Mitigation

No patch is required from CKEditor 5 as version 35.4.0 is not affected by a code defect; the risk is entirely configurational. Integrators should ensure config.htmlEmbed.showPreviews remains false unless they have explicitly trusted all editors and implemented additional server-side sanitization [1][3]. Reviewing the HTML embed feature's security implications is advised before enabling it in any production environment [2].