logo

Database

Reflected cross-site scripting (XSS) In ckeditor5-premium-features

Description

Cross-site scripting (XSS) in the CKEditor 5 real-time collaboration package

Impact

During a recent internal audit, we identified a Cross-Site Scripting (XSS) vulnerability in the CKEditor 5 real-time collaboration package. This vulnerability can lead to unauthorized JavaScript code execution and affects user markers, which represent users' positions within the document.

This vulnerability affects only installations with Real-time collaborative editing enabled.

Patches

The problem has been recognized and patched. The fix will be available in version 44.2.1 (and above).

For more information

Email us at [email protected] if you have any questions or comments about this advisory.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-252992. NVD-2025-252993. OSV-2025-252994. GHSA-j3mm-wmfm-mwvh5. GCVE-2025-25299

References

1. https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-j3mm-wmfm-mwvh2. https://ckeditor.com/docs/ckeditor5/latest/features/collaboration/real-time-collaboration/real-time-collaboration.html3. https://ckeditor.com/docs/ckeditor5/latest/features/collaboration/real-time-collaboration/real-time-collaboration.html?docId=ee1dca024c9b4e44aef039f99ebe6c6644. https://github.com/ckeditor/ckeditor5/releases/tag/v44.2.1

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.