Description

CKEditor 5 is a modern JavaScript rich-text editor with an MVC architecture. ckeditor5 and ckeditor5-clipboard versions 46.0.0 through 46.0.2 and 44.2.0 through 45.2.1 contain a Cross-Site Scripting (XSS) vulnerability. Ability to exploit could be triggered by a specific user action (leading to unauthorized JavaScript code execution) if the attacker managed to insert a malicious content into the editor, which might happen with a very specific editor configuration. This vulnerability affects installations where the editor configuration meets one of the following criteria: the HTML embed plugin is enabled, or there is a custom plugin introducing an editable element where view RawElement is enabled. This issue is fixed in versions 45.2.2 and 46.0.3 of both ckeditor5 and ckeditor5-clipboard.

INFO

Published Date :

2025-09-03T22:02:53.296Z

Last Modified :

2025-09-04T20:03:46.927Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-58064 vulnerability.

Vendors Products
Ckeditor
  • Ckeditor5
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-58064.

URL Resource
https://github.com/ckeditor/ckeditor5/commit/b210e90c6cf84e662ef6c7daf93a92355a961bf2 cve-icon cve-icon
https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-x9gp-vjh6-3wv6 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability