CVE-2025-58064

Name of the Vulnerable Software and Affected Versions ckeditor5 versions 44.2.0 through 45.2.1 ckeditor5 versions 46.0.0 through 46.0.2 ckeditor5-clipboard versions 44.2.0 through 45.2.1 ckeditor5-clipboard versions 46.0.0 through 46.0.2

Description CKEditor 5 is a modern JavaScript rich-text editor with an MVC architecture. The software contains a Cross-Site Scripting (XSS) vulnerability. Exploitation could lead to unauthorized JavaScript code execution if an attacker inserts malicious content into the editor, potentially occurring with a specific editor configuration. This issue affects installations where the HTML embed plugin is enabled, or a custom plugin introduces an editable element where view RawElement is enabled.

Recommendations Update to ckeditor5 version 45.2.2 or later. Update to ckeditor5-clipboard version 45.2.2 or later. Update to ckeditor5 version 46.0.3 or later. Update to ckeditor5-clipboard version 46.0.3 or later.