We would like to announce the release of CKEditor 5 v10.0.1 that contains a security fix for the Link package, so an upgrade is highly recommended for all CKEditor 5 installations that include it. Additionally, this release fixes an issue with the decoupled editor that blocked enabling real-time collaboration in this editor.
# Security issue fixed
CKEditor 5 v10.0.1 fixes a cross-site scripting (XSS) issue in the
@ckeditor/ckeditor5-link package. The vulnerability allowed remote attackers to inject an arbitrary web script through a crafted
href attribute of a link (
Note that all official CKEditor 5 builds as well as all custom builds which included this package are affected.
CKEditor 5 versions affected: v0.3.0 and later.
# Other fixes
Other than that, this release fixes an issue with asynchronous data initialization in the decoupled editor class which blocked enabling real-time collaboration in this editor.
CKEditor 5 is available under Open Source and Commercial licenses. Full details can be found on our license page.