Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.4
CKEditor 5: Malicious code injection through crafted HTML
UBUNTU-CVE-2026-28343
Summary
Using CKEditor 5 before version 47.6.0 could allow an attacker to inject malicious code if they know how to craft specific HTML. This is a security risk because it lets attackers run unauthorized code on your website. To fix the issue, update CKEditor 5 to version 47.6.0 or later.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| canonical | ckeditor | All versions | – |
| canonical | ldap-account-manager | All versions | – |
| canonical | request-tracker4 | All versions | – |
| canonical | ckeditor | All versions | – |
| canonical | ckeditor3 | All versions | – |
| canonical | ldap-account-manager | All versions | – |
| canonical | request-tracker4 | All versions | – |
| canonical | ckeditor | All versions | – |
| canonical | ckeditor3 | All versions | – |
| canonical | ldap-account-manager | All versions | – |
| canonical | request-tracker4 | All versions | – |
| canonical | ckeditor3 | All versions | – |
| canonical | ldap-account-manager | All versions | – |
| canonical | request-tracker4 | All versions | – |
| canonical | ckeditor | All versions | – |
| canonical | ckeditor3 | All versions | – |
| canonical | ldap-account-manager | All versions | – |
| canonical | request-tracker4 | All versions | – |
| canonical | ckeditor | All versions | – |
| canonical | ckeditor | All versions | – |
| canonical | ldap-account-manager | All versions | – |
| canonical | request-tracker4 | All versions | – |
Original title
CKEditor 5 is a modern JavaScript rich-text editor with an MVC architecture. Prior to version 47.6.0, a cross-site scripting (XSS) vulnerability has been discovered in the General HTML Support feat...
Original description
CKEditor 5 is a modern JavaScript rich-text editor with an MVC architecture. Prior to version 47.6.0, a cross-site scripting (XSS) vulnerability has been discovered in the General HTML Support feature. This vulnerability could be triggered by inserting specially crafted markup, leading to unauthorized JavaScript code execution, if the editor instance used an unsafe General HTML Support configuration. This issue has been patched in version 47.6.0.
osv CVSS3.1
6.4
- https://ubuntu.com/security/CVE-2026-28343 Third Party Advisory
- https://www.cve.org/CVERecord?id=CVE-2026-28343 Third Party Advisory
- https://github.com/ckeditor/ckeditor5/releases/tag/v47.6.0 Third Party Advisory
- https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-jrqm-vmqc-gm93 Third Party Advisory
Published: 6 Mar 2026 · Updated: 13 Mar 2026 · First seen: 9 Mar 2026