« See all

CKEditor 4.9.2 with a security patch released

CKEditor 4 release with a security patch

We would like to announce the release of CKEditor 4.9.2 that contains a security fix for the Enhanced Image plugin, so an upgrade is highly recommended for all CKEditor 4.5.11+ installations that include it.

# Security issue fixed

CKEditor 4.9.2 fixes an XSS vulnerability in the Enhanced Image (image2) plugin reported by Kyaw Min Thein. The vulnerability stemmed from the fact that it was possible to execute XSS inside CKEditor using the <img> tag and specially crafted HTML.

Please note that the default presets (Basic/Standard/Full) do not include this plugin, so you are only at risk if you made a custom build and enabled this plugin.

CKEditor versions affected: 4.5.11 and later.

We would like to thank the Drupal security team for bringing this matter to our attention and coordinating the fix and release process!

# Release notes

Check out the release notes and contact us for more information.

# Download

Download CKEditor now and upgrade your installation or use your favorite package manager to install it!

# License

CKEditor is available under Open Source and Commercial licenses. Full details can be found on our license page.

# Reporting issues and contributing

Please report any new issues in the CKEditor 4 development repository and follow the instructions in the issue template. You can also contribute code and provide editor patches through pull requests.

# Support

Community support is available through Stack Overflow. Visit the resources page for additional options.

Share this post

Linkedin Reddit

Discuss on

CKEditor 5 v10.0.0 – the future of rich text editing looks stable
CKEditor 5 v1.0.0 beta released