Mgsypublished

**Name of the Vulnerable Software and Affected Versions** CKEditor 5 versions prior to 35.0.1 **Description** A cross-site scripting issue has been discovered in CKEditor 5, affecting three optional packages: `@ckeditor/ckeditor5-markdown-gfm`, `@ckeditor/ckeditor5-html-support`, and `@ckeditor/ckeditor5-html-embed`. The vulnerability allows triggering JavaScript code after fulfilling specific conditions, including using one of the affected packages, destroying the editor instance, and initializing the editor on an element other than `<textarea>`. The root cause is a mechanism responsible for updating the source element with markup from the CKEditor 5 data pipeline after destroying the editor. This issue might affect a small percentage of integrators that depend on dynamic editor initialization/destroy and use Markdown, General HTML Support, or HTML embed features. **Recommendations** For versions prior to 35.0.1, update to version 35.0.1 to resolve the issue. As a temporary workaround, consider avoiding the use of the affected packages `@ckeditor/ckeditor5-markdown-gfm`, `@ckeditor/ckeditor5-html-support`, and `@ckeditor/ckeditor5-html-embed` until the update is applied. Restrict access to configurations that allow unsafe markup inside the editor for `ckeditor5-html-support` and `ckeditor5-html-embed` packages to minimize the risk of exploitation. Avoid initializing the editor on elements other than `<textarea>` and refrain from destroying the editor instance unless necessary, until the update is applied.