logo

Database

Reflected cross-site scripting (XSS) In drupal/ckeditor5_youtube

Description

The CKEditor5 Youtube module enhances content creation in Drupal by seamlessly integrating YouTube video embedding into the CKEditor 5 text editor.

The module doesn't sufficiently validate iframe sources under the scenario where a user embeds a video using the CKEditor YouTube integration leading to a Cross-site Scripting (XSS) vulnerabiity.
This vulnerability is mitigated by the fact that an attacker must have a role with necessary permissions to use CKEditor Youtube embed button.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-66742. NVD-2025-66743. OSV-DRUPAL-CONTRIB-2025-0814. OSV-2025-66745. GCVE-2025-66746. drupal.org

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.