CKFinder 2.5.1 with Security Patches for PHP and Java Released

We’d like to announce the release of CKFinder 2.5.1. This release contains a security patch for a moderate security issue in the PHP and Java server-side connectors and just a few other small changes. Read on for details!

Security Patch for Java and PHP

During our standard penetration tests we discovered a moderate security issue in the PHP and Java connectors that allowed for manipulating files in folders configured as "hidden" if the server was hosted on a Windows platform. We thus recommend to upgrade CKFinder to the latest version.

If your upgrade and support  privilege have already expired, we strongly recommend renewing your license.

  • By renewing your CKFinder for PHP license you can upgrade straight to CKFinder 3.1, a superior solution with built-in image editor, cloud storage support, great responsiveness and full mobile support and many more features. See the demo here:
  • By renewing your CKFinder for Java license you can upgrade to 2.5.1 today and you are guaranteed a free upgrade to CKFinder 3.x for Java when it gets released in Q2/2016.

You can purchase a renewed license here. If you own an Enterprise license, contact our Sales team for a discounted offer!

The following screenshot presents CKFinder 3.1 (currently available for PHP) at its current state:

CKFinder 3.1 for PHP

Other Changes

This release also includes a handful of other changes. An issue with CKFinder showing a blank window when opened in a popup in Safari 8+ is now fixed. Apart from that, obsolete integration samples for FCKeditor and CKEditor 3.x were removed and the CKEditor 4.x integration sample was reworked to include an example on how to support drag&drop file uploads and pasting images from clipboard.

Last but not least, the following changes were introduced to the Java connector:

  • The Init command now returns resourceTypes added dynamically in the prepareConfigurationForRequest method.
  • It is now possible to dynamically change ACL settings in the prepareConfigurationForRequest method.
  • Starting from this version you can also modify config.xml without restarting the server.
  • CKFinder now works with  various server solutions for virtual directories, so it is possible to have the userfiles folder outside of the application context.


See the What’s New? page for a full list of changes.


Download CKFinder now!


All CKFinder licenses come with a year of dedicated support straight from core CKFinder developers. You can also refer to StackOverflow for community support.

If you have enjoyed reading this, be sure to check out our other blog posts

Subscribe to our newsletter

Keep your CKEditor fresh! Receive updates about releases, new features and security fixes.

We use cookies and other technologies to provide you with a better user experience.

Learn more

Hi there, any questions about products or pricing?

Any questions about our products or pricing?

Send us a quick message and one of our Sales Representatives will be in touch with you as soon as possible.

We are happy to
hear from you!

Thank you for reaching out to the CKEditor Sales Team. We have received your message and we will contact you shortly.