We would like to announce the release of CKEditor 5 v10.0.1 that contains a security fix for the Link package, so an upgrade is highly recommended for all CKEditor 5 installations that include it. Additionally, this release fixes an issue with the decoupled editor that blocked enabling real-time collaboration in this editor.

# Security issue fixed

CKEditor 5 v10.0.1 fixes a cross-site scripting (XSS) issue in the @ckeditor/ckeditor5-link package. The vulnerability allowed remote attackers to inject an arbitrary web script through a crafted href attribute of a link (<a>) element.

Note that all official CKEditor 5 builds as well as all custom builds which included this package are affected.

CKEditor 5 versions affected: v0.3.0 and later.

This issue was reported independently by Toan Chi Nguyen from Techlab Corporation and Michal Bazyli. Thank you!

# Other fixes

Other than that, this release fixes an issue with asynchronous data initialization in the decoupled editor class which blocked enabling real-time collaboration in this editor.

# Download

CKEditor 5 builds can be downloaded from the CDN, npm or as zip packages. Read more in the Installation guide.

# License

CKEditor 5 is available under Open Source and Commercial licenses. Full details can be found on our license page.

# Reporting issues and contributing

You can report all general issues in the main CKEditor 5 repository. Read more in the Reporting issues guide.

# Support

The project documentation is growing and always up to date. Community support is available through Stack Overflow. Visit the Gitter channel if you have some quick questions. Read more in the Getting support guide.