CVE-2025-58064
September 03, 2025
CKEditor 5 is a modern JavaScript rich-text editor with an MVC architecture. ckeditor5 and ckeditor5-clipboard versions 46.0.0 through 46.0.2 and 44.2.0 through 45.2.1 contain a Cross-Site Scripting (XSS) vulnerability. Ability to exploit could be triggered by a specific user action (leading to unauthorized JavaScript code execution) if the attacker managed to insert a malicious content into the editor, which might happen with a very specific editor configuration. This vulnerability affects installations where the editor configuration meets one of the following criteria: the HTML embed plugin is enabled, or there is a custom plugin introducing an editable element where view RawElement is enabled. This issue is fixed in versions 45.2.2 and 46.0.3 of both ckeditor5 and ckeditor5-clipboard.
Affected Packages
ckeditor5 (NPM):
Affected version(s) >=44.2.0 <45.2.2Fix Suggestion:
Update to version 45.2.2Related ResourcesĀ (4)
Do you need more information?
Contact UsCVSS v4
Base Score:
2.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
PRESENT
Privileges Required
NONE
User Interaction
PASSIVE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
LOW
Subsequent System Availability
NONE
CVSS v3
Base Score:
4.7
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
NONE
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
EPSS
Base Score:
0.09
