CVE-2026-28343: CKEditor: Cross-site scripting (XSS) in the HTML Support package

Published Mar 4, 2026
·
Updated

Impact A Cross-Site Scripting (XSS) vulnerability has been discovered in the General HTML Support feature. This vulnerability could be triggered by inserting specially crafted markup, leading to unauthorized JavaScript code execution, if the editor instance used an unsafe General HTML Support configuration.

This vulnerability affects only installations where the editor configuration meets the following criteria:

General HTML Support is enabled, General HTML Support configuration allows inserting unsafe markup (see Security section to learn more).

Patches The problem has been recognized and patched. The fix will be available in version 47.6.0 (and above).

Workarounds CKEditor 5 recommends configuring General HTML Support securely to ensure that unsafe content is not accepted. Please refer to the Security section for detailed guidance.

Credits CKEditor 5 would like to thank: - Emilio Kevin - Jeongwoo Lee, Younsoung Kim, Minseok Kim and Jinyeong Kim from ENKI Whitehat

for responsibly reporting this vulnerability.

For more information Email us at security@cksource.com if you have any questions or comments about this advisory.

Other sources

CKEditor 5 is a modern JavaScript rich-text editor with an MVC architecture. Prior to version 47.6.0, a cross-site scripting (XSS) vulnerability has been discovered in the General HTML Support feature. This vulnerability could be triggered by inserting specially crafted markup, leading to unauthorized JavaScript code execution, if the editor instance used an unsafe General HTML Support configuration. This issue has been patched in version 47.6.0.

NVD

CKEditor 5 is a modern JavaScript rich-text editor with an MVC architecture. Starting in version 29.0.0 and prior to version 47.6.0, a cross-site scripting (XSS) vulnerability has been discovered in the General HTML Support feature. This vulnerability could be triggered by inserting specially crafted markup, leading to unauthorized JavaScript code execution, if the editor instance used an unsafe General HTML Support configuration. This issue has been patched in version 47.6.0.

MITRE

Affected Software

3 affected componentsFixes available
npm/ckeditor5<47.6.0
47.6.0
npm/@ckeditor/ckeditor5-html-support<47.6.0
47.6.0
CKEditor ckeditor5<47.6.0

Event History

Mar 4, 2026
Advisory Published
via GitHub·06:49 PM
Data Sourced
via GitHub·06:49 PM
DescriptionSeverityWeaknessAffected Software
Mar 5, 2026
CVE Published
via MITRE·07:42 PM
Data Sourced
via MITRE·07:42 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·08:16 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·08:16 PM
Affected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-28343?

CVE-2026-28343 is classified as a high severity vulnerability due to its potential for unauthorized JavaScript execution.

2

How do I fix CVE-2026-28343?

To fix CVE-2026-28343, update to version 47.6.0 or later of the affected CKEditor 5 packages.

3

What software is affected by CVE-2026-28343?

CVE-2026-28343 affects CKEditor 5 and @ckeditor/ckeditor5-html-support prior to version 47.6.0.

4

What type of vulnerability is CVE-2026-28343?

CVE-2026-28343 is a Cross-Site Scripting (XSS) vulnerability.

5

What can happen if CVE-2026-28343 is exploited?

If CVE-2026-28343 is exploited, it can lead to unauthorized execution of JavaScript in users' browsers.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203