CVE-2026-28343

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-28343
CKEditor 5 is a modern JavaScript rich-text editor with an MVC architecture. Prior to version 47.6.0, a cross-site scripting (XSS) vulnerability has been discovered in the General HTML Support feature. This vulnerability could be triggered by inserting specially crafted markup, leading to unauthorized JavaScript code execution, if the editor instance used an unsafe General HTML Support configuration. This issue has been patched in version 47.6.0.

6.4 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.1 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://github.com/ckeditor/ckeditor5/releases/tag/v47.6.0 Release Notes
https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-jrqm-vmqc-gm93 Mitigation Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:ckeditor:ckeditor5:*:*:*:*:*:*:*:*
History

17 Mar 2026, 18:39

Type Values Removed Values Added
References () https://github.com/ckeditor/ckeditor5/releases/tag/v47.6.0 - () https://github.com/ckeditor/ckeditor5/releases/tag/v47.6.0 - Release Notes
References () https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-jrqm-vmqc-gm93 - () https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-jrqm-vmqc-gm93 - Mitigation, Vendor Advisory
CPE cpe:2.3:a:ckeditor:ckeditor5:*:*:*:*:*:*:*:*
First Time Ckeditor ckeditor5
Ckeditor

09 Mar 2026, 13:36

Type Values Removed Values Added
Summary
  • (es) CKEditor 5 es un editor de texto enriquecido moderno de JavaScript con una arquitectura MVC. Antes de la versión 47.6.0, se ha descubierto una vulnerabilidad de cross-site scripting (XSS) en la función de Soporte HTML General. Esta vulnerabilidad podría activarse mediante la inserción de marcado especialmente diseñado, lo que llevaría a la ejecución no autorizada de código JavaScript, si la instancia del editor utilizaba una configuración insegura de Soporte HTML General. Este problema se ha corregido en la versión 47.6.0.

05 Mar 2026, 20:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-05 20:16

Updated : 2026-03-17 18:39

NVD link : CVE-2026-28343

Mitre link : CVE-2026-28343

CVE.ORG link : CVE-2026-28343

JSON object : View

Products Affected

ckeditor

  • ckeditor5
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')