We would like to announce the release of CKEditor 5 v10.0.1 that contains a security fix for the Link package, so an upgrade is highly recommended for all CKEditor 5 installations that include it. Additionally, this release fixes an issue with the decoupled editor that blocked enabling real-time collaboration in this editor.
# Security issue fixed
CKEditor 5 v10.0.1 fixes a cross-site scripting (XSS) issue in the @ckeditor/ckeditor5-link
package. The vulnerability allowed remote attackers to inject an arbitrary web script through a crafted href
attribute of a link (<a>
) element.
Note that all official CKEditor 5 builds as well as all custom builds which included this package are affected.
CKEditor 5 versions affected: v0.3.0 and later.
This issue was reported independently by Toan Chi Nguyen from Techlab Corporation and Michal Bazyli. Thank you!
# Other fixes
Other than that, this release fixes an issue with asynchronous data initialization in the decoupled editor class which blocked enabling real-time collaboration in this editor.
# Download
CKEditor 5 builds can be downloaded from the CDN, npm or as zip packages. Read more in the Installation guide.
# License
CKEditor 5 is available under Open Source and Commercial licenses. Full details can be found on our license page.
# Reporting issues and contributing
You can report all general issues in the main CKEditor 5 repository. Read more in the Reporting issues guide.
# Support
The project documentation is growing and always up to date. Community support is available through Stack Overflow. Read more in the Getting support guide.