CKEditor 4.9.2 with a security patch released

We would like to announce the release of CKEditor 4.9.2 that contains a security fix for the Enhanced Image plugin, so an upgrade is highly recommended for all CKEditor 4.5.11+ installations that include it.
# Security issue fixed
CKEditor 4.9.2 fixes an XSS vulnerability in the Enhanced Image (image2
) plugin reported by Kyaw Min Thein. The vulnerability stemmed from the fact that it was possible to execute XSS inside CKEditor using the <img>
tag and specially crafted HTML.
Please note that the default presets (Basic/Standard/Full) do not include this plugin, so you are only at risk if you made a custom build and enabled this plugin.
CKEditor versions affected: 4.5.11 and later.
We would like to thank the Drupal security team for bringing this matter to our attention and coordinating the fix and release process!
# Release notes
Check out the release notes and contact us for more information.
# Download
Download CKEditor now and upgrade your installation or use your favorite package manager to install it!
# License
CKEditor is available under Open Source and Commercial licenses. Full details can be found on our license page.
# Reporting issues and contributing
Please report any new issues in the CKEditor 4 development repository and follow the instructions in the issue template. You can also contribute code and provide editor patches through pull requests.
# Support
Community support is available through Stack Overflow. Visit the resources page for additional options.