We would like to announce the release of CKEditor 5 v10.0.1 that contains a security fix for the Link package, so an upgrade is highly recommended for all CKEditor 5 installations that include it. Additionally, this release fixes an issue with the decoupled editor that blocked enabling real-time collaboration in this editor.
# Security issue fixed
CKEditor 5 v10.0.1 fixes a cross-site scripting (XSS) issue in the
@ckeditor/ckeditor5-link package. The vulnerability allowed remote attackers to inject an arbitrary web script through a crafted
href attribute of a link (
Note that all official CKEditor 5 builds as well as all custom builds which included this package are affected.
CKEditor 5 versions affected: v0.3.0 and later.
# Other fixes
Other than that, this release fixes an issue with asynchronous data initialization in the decoupled editor class which blocked enabling real-time collaboration in this editor.
CKEditor 5 is available under Open Source and Commercial licenses. Full details can be found on our license page.
# Reporting issues and contributing
The project documentation is growing and always up to date. Community support is available through Stack Overflow. Visit the Gitter channel if you have some quick questions. Read more in the Getting support guide.