CKEditor: Cross-site scripting (XSS) in the HTML Support package
Description
CKEditor 5 is a modern JavaScript rich-text editor with an MVC architecture. Starting in version 29.0.0 and prior to version 47.6.0, a cross-site scripting (XSS) vulnerability has been discovered in the General HTML Support feature. This vulnerability could be triggered by inserting specially crafted markup, leading to unauthorized JavaScript code execution, if the editor instance used an unsafe General HTML Support configuration. This issue has been patched in version 47.6.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CKEditor 5 General HTML Support feature allows XSS via crafted markup when unsafe configuration is used, patched in v47.6.0.
Vulnerability
Overview
A cross-site scripting (XSS) vulnerability exists in CKEditor 5's General HTML Support (GHS) feature, affecting versions from 29.0.0 from 29.0.0 up to (but not including) 47.6.0 [1][2][3]. The root cause is that the GHS feature, when configured to allow unsafe HTML elements or attributes, does not sufficiently sanitize user-supplied markup. An attacker can insert specially crafted HTML that bypasses the editor's content filtering, leading to execution of arbitrary JavaScript in the context of the editor's page [2][3].
Exploitation
Conditions
Exploitation requires that the editor instance has General HTML Support enabled and that its configuration permits the insertion of unsafe markup (e.g., allowing ` tags or event handler attributes like onerror`) [2]. The attacker must be able to submit content to the editor, typically through a form or API endpoint that accepts rich-text content is processed. No special network position is required beyond the ability to deliver crafted input to the vulnerable editor instance [3].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the browser of any user who views the crafted content. This can lead to session hijacking, data theft, defacement, or other actions that the victim's browser session can perform [2][3]. The vulnerability is classified as a stored or reflected XSS depending on how the editor content is persisted and later rendered.
Mitigation
The issue has been patched in CKEditor 5 version 47.6.0 [2]. Users should upgrade to this version or later. For those unable to upgrade immediately, the advisory recommends reviewing the General HTML Support configuration to ensure only safe elements and attributes are allowed, and avoiding configurations that permit `` tags or event handler attributes [2]. No workaround is provided that fully eliminates the risk without upgrading.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@ckeditor/ckeditor5-html-supportnpm | >= 29.0.0, < 47.6.0 | 47.6.0 |
ckeditor5npm | >= 29.0.0, < 47.6.0 | 47.6.0 |
Affected products
2- ckeditor/ckeditor5v5Range: >= 29.0.0, < 47.6.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-jrqm-vmqc-gm93ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-28343ghsaADVISORY
- github.com/ckeditor/ckeditor5/releases/tag/v29.0.0ghsax_refsource_MISCWEB
- github.com/ckeditor/ckeditor5/releases/tag/v47.6.0ghsax_refsource_MISCWEB
- github.com/ckeditor/ckeditor5/security/advisories/GHSA-jrqm-vmqc-gm93ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.