CKEditor 5 v10.0.1 with a security patch released
We would like to announce the release of CKEditor 5 v10.0.1 that contains a security fix for the Link package, so an upgrade is highly recommended for all CKEditor 5 installations that include it. Additionally, this release fixes an issue with the decoupled editor that blocked enabling real-time collaboration in this editor.
# Security issue fixed
CKEditor 5 v10.0.1 fixes a cross-site scripting (XSS) issue in the
@ckeditor/ckeditor5-link package. The vulnerability allowed remote attackers to inject an arbitrary web script through a crafted
href attribute of a link (
Note that all official CKEditor 5 builds as well as all custom builds which included this package are affected.
CKEditor 5 versions affected: v0.3.0 and later.
This issue was reported independently by Toan Chi Nguyen from Techlab Corporation and Michal Bazyli. Thank you!
# Other fixes
Other than that, this release fixes an issue with asynchronous data initialization in the decoupled editor class which blocked enabling real-time collaboration in this editor.
CKEditor 5 builds can be downloaded from the CDN, npm or as zip packages. Read more in the Installation guide.
CKEditor 5 is available under Open Source and Commercial licenses. Full details can be found on our license page.
# Reporting issues and contributing
You can report all general issues in the main CKEditor 5 repository. Read more in the Reporting issues guide.
The project documentation is growing and always up to date. Community support is available through Stack Overflow. Read more in the Getting support guide.