CVE-2025-61261: XSS
Published Nov 7, 2025
·Updated
A reflected cross-site scripting (XSS) vulnerability in CKeditor v46.1.0 & Angular v18.0.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.
Affected Software
4 affected components
CKSource CKEditor
Google Angular
angular Angular Node.js=18.0.0
CKEditor ckeditor5=46.1.0
Event History
Nov 7, 2025
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
Description
Data Sourced
via NVD·07:16 PM
DescriptionSeverityWeaknessAffected Software
Frequently Asked Questions
1
What is the severity of CVE-2025-61261?
CVE-2025-61261 is classified as a high severity reflected cross-site scripting (XSS) vulnerability.
2
How do I fix CVE-2025-61261?
To fix CVE-2025-61261, upgrade CKeditor to version 46.1.1 or later, and Angular to version 18.0.1 or later.
3
Which versions of CKeditor are affected by CVE-2025-61261?
CKeditor version 46.1.0 is affected by CVE-2025-61261.
4
Which versions of Angular are affected by CVE-2025-61261?
Angular version 18.0.0 is affected by CVE-2025-61261.
5
What types of attacks can be executed using CVE-2025-61261?
CVE-2025-61261 allows attackers to execute arbitrary code in the context of a user's browser.