{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28343", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-26T18:38:13.889Z", "datePublished": "2026-03-05T19:42:58.372Z", "dateUpdated": "2026-03-19T18:45:43.135Z"}, "containers": {"cna": {"title": "CKEditor: Cross-site scripting (XSS) in the HTML Support package", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-jrqm-vmqc-gm93", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-jrqm-vmqc-gm93"}, {"name": "https://github.com/ckeditor/ckeditor5/releases/tag/v29.0.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/ckeditor/ckeditor5/releases/tag/v29.0.0"}, {"name": "https://github.com/ckeditor/ckeditor5/releases/tag/v47.6.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/ckeditor/ckeditor5/releases/tag/v47.6.0"}], "affected": [{"vendor": "ckeditor", "product": "ckeditor5", "versions": [{"version": ">= 29.0.0, < 47.6.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T18:45:43.135Z"}, "descriptions": [{"lang": "en", "value": "CKEditor 5 is a modern JavaScript rich-text editor with an MVC architecture. Starting in version 29.0.0 and prior to version 47.6.0, a cross-site scripting (XSS) vulnerability has been discovered in the General HTML Support feature. This vulnerability could be triggered by inserting specially crafted markup, leading to unauthorized JavaScript code execution, if the editor instance used an unsafe General HTML Support configuration. This issue has been patched in version 47.6.0."}], "source": {"advisory": "GHSA-jrqm-vmqc-gm93", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T17:56:09.434344Z", "id": "CVE-2026-28343", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T17:56:15.724Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28343", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-06T17:56:09.434344Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T17:56:12.556Z"}}], "cna": {"title": "CKEditor: Cross-site scripting (XSS) in the HTML Support package", "source": {"advisory": "GHSA-jrqm-vmqc-gm93", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "ckeditor", "product": "ckeditor5", "versions": [{"status": "affected", "version": ">= 29.0.0, < 47.6.0"}]}], "references": [{"url": "https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-jrqm-vmqc-gm93", "name": "https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-jrqm-vmqc-gm93", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/ckeditor/ckeditor5/releases/tag/v29.0.0", "name": "https://github.com/ckeditor/ckeditor5/releases/tag/v29.0.0", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/ckeditor/ckeditor5/releases/tag/v47.6.0", "name": "https://github.com/ckeditor/ckeditor5/releases/tag/v47.6.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "CKEditor 5 is a modern JavaScript rich-text editor with an MVC architecture. Starting in version 29.0.0 and prior to version 47.6.0, a cross-site scripting (XSS) vulnerability has been discovered in the General HTML Support feature. This vulnerability could be triggered by inserting specially crafted markup, leading to unauthorized JavaScript code execution, if the editor instance used an unsafe General HTML Support configuration. This issue has been patched in version 47.6.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T18:45:43.135Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28343", "state": "PUBLISHED", "dateUpdated": "2026-03-19T18:45:43.135Z", "dateReserved": "2026-02-26T18:38:13.889Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-05T19:42:58.372Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ckeditor:ckeditor5:*:*:*:*:*:*:*:*", "matchCriteriaId": "A6ADE9D9-13BD-491C-8B46-0A3D45582F03", "versionEndExcluding": "47.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "CKEditor 5 is a modern JavaScript rich-text editor with an MVC architecture. Starting in version 29.0.0 and prior to version 47.6.0, a cross-site scripting (XSS) vulnerability has been discovered in the General HTML Support feature. This vulnerability could be triggered by inserting specially crafted markup, leading to unauthorized JavaScript code execution, if the editor instance used an unsafe General HTML Support configuration. This issue has been patched in version 47.6.0."}, {"lang": "es", "value": "CKEditor 5 es un editor de texto enriquecido moderno de JavaScript con una arquitectura MVC. Antes de la versi\u00f3n 47.6.0, se ha descubierto una vulnerabilidad de cross-site scripting (XSS) en la funci\u00f3n de Soporte HTML General. Esta vulnerabilidad podr\u00eda activarse mediante la inserci\u00f3n de marcado especialmente dise\u00f1ado, lo que llevar\u00eda a la ejecuci\u00f3n no autorizada de c\u00f3digo JavaScript, si la instancia del editor utilizaba una configuraci\u00f3n insegura de Soporte HTML General. Este problema se ha corregido en la versi\u00f3n 47.6.0."}], "id": "CVE-2026-28343", "lastModified": "2026-03-19T19:16:20.003", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-05T20:16:16.017", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/ckeditor/ckeditor5/releases/tag/v29.0.0"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/ckeditor/ckeditor5/releases/tag/v47.6.0"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-jrqm-vmqc-gm93"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,47.6.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "ckeditor5", "source": "cna", "vendor": "ckeditor"}, "product": "ckeditor5", "vendor": "ckeditor"}], "analysis": {"en": {"generated_at": "2026-04-16T12:12:10.764478+00:00", "value": {"mitigation_remediation": ["Upgrade CKEditor 5 to version 47.6.0 or later to eliminate the flaw.", "If an upgrade is not immediately possible, disable the General HTML Support feature or strictly sanitise any content before rendering.", "Ensure user\u2011generated content passed to the editor is validated or filtered to prevent XSS injection."], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011Site Scripting that permits arbitrary JavaScript execution within web pages that host CKEditor 5"}, "threat_synthesis": {"affected_systems": "CKEditor 5 versions from 29.0.0 up to, but not including, 47.6.0 are affected. The flaw is triggered when the editor instance is configured with the unsafe General HTML Support option. The fix was introduced in CKEditor 5 version 47.6.0, which securely sanitises the passed content.", "description_and_impact": "This vulnerability exists in CKEditor 5\u2019s General HTML Support feature, where an attacker can insert specially crafted markup that triggers a cross\u2011site scripting flaw. The injection leads to unauthorized JavaScript code execution within the context of a page hosting the editor. Such execution can facilitate data theft, session hijacking or further compromise of the hosting application.", "risk_and_exploitability": "The CVSS score of 6.4 rates the flaw as medium severity. The EPSS score is below 1\u202f%, indicating a low probability of exploitation in the wild. The vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector is through a web page that references an attacker\u2011crafted CKEditor instance with General\u202fHTML\u202fSupport enabled; content from an untrusted source can be injected, resulting in client\u2011side JavaScript execution. While the risk for an unpatched system is moderate, the low exploit probability suggests that attackers will invest effort only if the vulnerability is publicly known and the target uses a vulnerable version."}}}}, "created": "2026-03-06T15:01:12.768807+00:00", "updated": "2026-04-16T12:15:35.093824+00:00", "vendors": ["ckeditor", "ckeditor$PRODUCT$ckeditor5"]}