CKEditor 5 v46.0.3 Release Highlights: Security Fix Introduced
CKEditor 5 v46.0.3 has been released to address a cross-site scripting (XSS) vulnerability (CVE-2025-58064) in the clipboard package.
We highly recommend updating to the latest version to keep your application secure.
UPDATED Security Fix for Clipboard Package
A cross-site scripting (XSS) vulnerability (CVE-2025-58064) was discovered in the CKEditor 5 clipboard package. This vulnerability could be triggered by a specific user action, leading to unauthorized JavaScript code execution if an attacker inserted malicious content into the editor.
This vulnerability only affects installations where the editor configuration meets one of the following criteria:
-
The HTML embed plugin is enabled
-
A custom plugin introducing an editable element which implements
ViewRawElement
is enabled
For more details you can refer to the security advisory or contact us if you have more questions.