CVE-2026-28343
Received Received - Intake
Cross-Site Scripting in CKEditor 5 General HTML Support

Publication date: 2026-03-05

Last updated on: 2026-03-19

Assigner: GitHub, Inc.

Description
CKEditor 5 is a modern JavaScript rich-text editor with an MVC architecture. Starting in version 29.0.0 and prior to version 47.6.0, a cross-site scripting (XSS) vulnerability has been discovered in the General HTML Support feature. This vulnerability could be triggered by inserting specially crafted markup, leading to unauthorized JavaScript code execution, if the editor instance used an unsafe General HTML Support configuration. This issue has been patched in version 47.6.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-03-19
Generated
2026-05-06
AI Q&A
2026-03-05
EPSS Evaluated
2026-05-05
NVD
CVE-2026-28343
EUVD
EUVD-2026-9867
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ckeditor ckeditor5 to 47.6.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-28343 is a Cross-Site Scripting (XSS) vulnerability found in the General HTML Support feature of CKEditor 5 versions prior to 47.6.0.

This vulnerability occurs when the editor is configured to allow unsafe markup insertion through the General HTML Support feature.

An attacker can exploit this by inserting specially crafted HTML markup, which leads to unauthorized execution of JavaScript code within the editor instance.

The vulnerability only affects installations where General HTML Support is enabled and configured insecurely to permit unsafe content.

The issue has been patched in version 47.6.0 and later.


How can this vulnerability impact me? :

This vulnerability can lead to unauthorized execution of JavaScript code within the CKEditor 5 instance.

The impact includes low confidentiality and integrity loss, meaning sensitive information could be exposed or altered.

There is no impact on availability.

Because the attack vector is network-based with low complexity and no user interaction required, an attacker with low privileges could exploit this vulnerability remotely.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability occurs when CKEditor 5 is configured with the General HTML Support feature enabled and insecurely allowing unsafe markup insertion. Detection involves verifying if your CKEditor 5 instances are running a version prior to 47.6.0 and if the General HTML Support feature is enabled with unsafe configurations.

There are no specific commands provided in the available resources to detect this vulnerability directly on your network or system.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, immediately upgrade CKEditor 5 to version 47.6.0 or later, where the issue has been patched.

If upgrading is not immediately possible, securely configure the General HTML Support feature to prevent acceptance of unsafe markup. This includes restricting or sanitizing attributes such as the [srcdoc] attribute of <iframe> elements and disallowing unsafe URL schemes like javascript: and data: in the [src] attribute of <iframe> elements.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart