CVE-2026-28343
Received Received - Intake
Cross-Site Scripting in CKEditor 5 General HTML Support

Publication date: 2026-03-05

Last updated on: 2026-03-19

Assigner: GitHub, Inc.

Description
CKEditor 5 is a modern JavaScript rich-text editor with an MVC architecture. Starting in version 29.0.0 and prior to version 47.6.0, a cross-site scripting (XSS) vulnerability has been discovered in the General HTML Support feature. This vulnerability could be triggered by inserting specially crafted markup, leading to unauthorized JavaScript code execution, if the editor instance used an unsafe General HTML Support configuration. This issue has been patched in version 47.6.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-03-19
Generated
2026-06-16
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-14
NVD
CVE-2026-28343
EUVD
EUVD-2026-9867
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ckeditor ckeditor5 to 47.6.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can lead to unauthorized execution of JavaScript code within the CKEditor 5 instance.

The impact includes low confidentiality and integrity loss, meaning sensitive information could be exposed or altered.

There is no impact on availability.

Because the attack vector is network-based with low complexity and no user interaction required, an attacker with low privileges could exploit this vulnerability remotely.

Compliance Impact

I don't know

Executive Summary

CVE-2026-28343 is a Cross-Site Scripting (XSS) vulnerability found in the General HTML Support feature of CKEditor 5 versions prior to 47.6.0.

This vulnerability occurs when the editor is configured to allow unsafe markup insertion through the General HTML Support feature.

An attacker can exploit this by inserting specially crafted HTML markup, which leads to unauthorized execution of JavaScript code within the editor instance.

The vulnerability only affects installations where General HTML Support is enabled and configured insecurely to permit unsafe content.

The issue has been patched in version 47.6.0 and later.

Detection Guidance

This vulnerability occurs when CKEditor 5 is configured with the General HTML Support feature enabled and insecurely allowing unsafe markup insertion. Detection involves verifying if your CKEditor 5 instances are running a version prior to 47.6.0 and if the General HTML Support feature is enabled with unsafe configurations.

There are no specific commands provided in the available resources to detect this vulnerability directly on your network or system.

Mitigation Strategies

To mitigate this vulnerability, immediately upgrade CKEditor 5 to version 47.6.0 or later, where the issue has been patched.

If upgrading is not immediately possible, securely configure the General HTML Support feature to prevent acceptance of unsafe markup. This includes restricting or sanitizing attributes such as the [srcdoc] attribute of <iframe> elements and disallowing unsafe URL schemes like javascript: and data: in the [src] attribute of <iframe> elements.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28343. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart