VulnerableCode Package Details - pkg:npm/ckeditor@4.11.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-c8r2-wpf3-47f9 Aliases: CVE-2021-26271 GHSA-jv4c-7jqq-m34x	CKEditor 4 ReDoS Vulnerability It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted text into the Styles input of specific dialogs (in the Advanced Tab for Dialogs plugin).	4.16.0 Affected by 0 other vulnerabilities.
VCID-h5zz-wz8f-2uf6 Aliases: CVE-2021-26272 GHSA-wpvm-wqr4-p7cw	Inclusion of Functionality from Untrusted Control Sphere in CKEditor 4 It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin).	4.16.0 Affected by 0 other vulnerabilities.
VCID-k7qp-c6vp-sqbg Aliases: CVE-2023-28439 GHSA-vh5c-xwqv-cv9g	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered affecting Iframe Dialog and Media Embed packages. The vulnerability may trigger a JavaScript code after fulfilling special conditions: using one of the affected packages on a web page with missing proper Content Security Policy configuration; initializing the editor on an element and using an element other than `<textarea>` as a base; and destroying the editor instance. This vulnerability might affect a small percentage of integrators that depend on dynamic editor initialization/destroy mechanism. A fix is available in CKEditor4 version 4.21.0. In some rare cases, a security fix may be considered a breaking change. Starting from version 4.21.0, the Iframe Dialog plugin applies the `sandbox` attribute by default, which restricts JavaScript code execution in the iframe element. To change this behavior, configure the `config.iframe_attributes` option. Also starting from version 4.21.0, the Media Embed plugin regenerates the entire content of the embed widget by default. To change this behavior, configure the `config.embed_keepOriginalContent` option. Those who choose to enable either of the more permissive options or who cannot upgrade to a patched version should properly configure Content Security Policy to avoid any potential security issues that may arise from embedding iframe elements on their web page.	There are no reported fixed by versions.
VCID-sd2a-hmu2-wbax Aliases: CVE-2021-32809 GHSA-7889-rm5j-hpgg	Code Injection ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEdit The vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting arbitrary HTML into the editor.	4.16.2 Affected by 0 other vulnerabilities.
VCID-un66-k85j-b7d2 Aliases: CVE-2022-24728 GHSA-4fc4-4p5g-6w89	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds.	There are no reported fixed by versions.
VCID-vj35-jtgq-8qbv Aliases: CVE-2021-37695 GHSA-m94c-37g6-cjhc	Cross-site Scripting ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEdit The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at The problem has been recognized and patched.	4.16.2 Affected by 0 other vulnerabilities.
VCID-xhp7-kqdk-tfeu Aliases: CVE-2022-24729 GHSA-f6rf-9m92-x2hh	Improper Input Validation CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds.	4.18.0 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-c8r2-wpf3-47f9
Aliases:
CVE-2021-26271
GHSA-jv4c-7jqq-m34x

CKEditor 4 ReDoS Vulnerability It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted text into the Styles input of specific dialogs (in the Advanced Tab for Dialogs plugin).

4.16.0
Affected by 0 other vulnerabilities.

VCID-h5zz-wz8f-2uf6
Aliases:
CVE-2021-26272
GHSA-wpvm-wqr4-p7cw

Inclusion of Functionality from Untrusted Control Sphere in CKEditor 4 It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin).

4.16.0
Affected by 0 other vulnerabilities.

VCID-k7qp-c6vp-sqbg
Aliases:
CVE-2023-28439
GHSA-vh5c-xwqv-cv9g

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered affecting Iframe Dialog and Media Embed packages. The vulnerability may trigger a JavaScript code after fulfilling special conditions: using one of the affected packages on a web page with missing proper Content Security Policy configuration; initializing the editor on an element and using an element other than `<textarea>` as a base; and destroying the editor instance. This vulnerability might affect a small percentage of integrators that depend on dynamic editor initialization/destroy mechanism. A fix is available in CKEditor4 version 4.21.0. In some rare cases, a security fix may be considered a breaking change. Starting from version 4.21.0, the Iframe Dialog plugin applies the `sandbox` attribute by default, which restricts JavaScript code execution in the iframe element. To change this behavior, configure the `config.iframe_attributes` option. Also starting from version 4.21.0, the Media Embed plugin regenerates the entire content of the embed widget by default. To change this behavior, configure the `config.embed_keepOriginalContent` option. Those who choose to enable either of the more permissive options or who cannot upgrade to a patched version should properly configure Content Security Policy to avoid any potential security issues that may arise from embedding iframe elements on their web page.

There are no reported fixed by versions.

VCID-sd2a-hmu2-wbax
Aliases:
CVE-2021-32809
GHSA-7889-rm5j-hpgg

Code Injection ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEdit The vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting arbitrary HTML into the editor.

4.16.2
Affected by 0 other vulnerabilities.

VCID-un66-k85j-b7d2
Aliases:
CVE-2022-24728
GHSA-4fc4-4p5g-6w89

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds.

There are no reported fixed by versions.

VCID-vj35-jtgq-8qbv
Aliases:
CVE-2021-37695
GHSA-m94c-37g6-cjhc

Cross-site Scripting ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEdit The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at The problem has been recognized and patched.

4.16.2
Affected by 0 other vulnerabilities.

VCID-xhp7-kqdk-tfeu
Aliases:
CVE-2022-24729
GHSA-f6rf-9m92-x2hh

Improper Input Validation CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds.

4.18.0
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T22:24:25.441651+00:00	GitLab Importer	Affected by	VCID-k7qp-c6vp-sqbg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ckeditor/CVE-2023-28439.yml	38.4.0
2026-04-16T21:42:57.274364+00:00	GitLab Importer	Affected by	VCID-xhp7-kqdk-tfeu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ckeditor/CVE-2022-24729.yml	38.4.0
2026-04-16T21:42:48.313925+00:00	GitLab Importer	Affected by	VCID-un66-k85j-b7d2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ckeditor/CVE-2022-24728.yml	38.4.0
2026-04-16T21:28:20.955232+00:00	GitLab Importer	Affected by	VCID-vj35-jtgq-8qbv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ckeditor/CVE-2021-37695.yml	38.4.0
2026-04-16T21:28:18.335436+00:00	GitLab Importer	Affected by	VCID-sd2a-hmu2-wbax	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ckeditor/CVE-2021-32809.yml	38.4.0
2026-04-16T21:16:23.571273+00:00	GitLab Importer	Affected by	VCID-c8r2-wpf3-47f9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ckeditor/CVE-2021-26271.yml	38.4.0
2026-04-16T21:16:17.863868+00:00	GitLab Importer	Affected by	VCID-h5zz-wz8f-2uf6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ckeditor/CVE-2021-26272.yml	38.4.0
2026-04-11T23:42:36.159877+00:00	GitLab Importer	Affected by	VCID-k7qp-c6vp-sqbg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ckeditor/CVE-2023-28439.yml	38.3.0
2026-04-11T22:58:29.562999+00:00	GitLab Importer	Affected by	VCID-xhp7-kqdk-tfeu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ckeditor/CVE-2022-24729.yml	38.3.0
2026-04-11T22:58:20.060905+00:00	GitLab Importer	Affected by	VCID-un66-k85j-b7d2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ckeditor/CVE-2022-24728.yml	38.3.0
2026-04-11T22:41:18.805412+00:00	GitLab Importer	Affected by	VCID-vj35-jtgq-8qbv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ckeditor/CVE-2021-37695.yml	38.3.0
2026-04-11T22:41:16.349937+00:00	GitLab Importer	Affected by	VCID-sd2a-hmu2-wbax	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ckeditor/CVE-2021-32809.yml	38.3.0
2026-04-11T22:28:31.551373+00:00	GitLab Importer	Affected by	VCID-c8r2-wpf3-47f9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ckeditor/CVE-2021-26271.yml	38.3.0
2026-04-11T22:28:25.561183+00:00	GitLab Importer	Affected by	VCID-h5zz-wz8f-2uf6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ckeditor/CVE-2021-26272.yml	38.3.0
2026-04-02T23:46:30.204103+00:00	GitLab Importer	Affected by	VCID-k7qp-c6vp-sqbg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ckeditor/CVE-2023-28439.yml	38.1.0
2026-04-02T23:07:17.666282+00:00	GitLab Importer	Affected by	VCID-xhp7-kqdk-tfeu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ckeditor/CVE-2022-24729.yml	38.1.0
2026-04-02T23:07:09.187161+00:00	GitLab Importer	Affected by	VCID-un66-k85j-b7d2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ckeditor/CVE-2022-24728.yml	38.1.0
2026-04-02T22:51:45.411266+00:00	GitLab Importer	Affected by	VCID-vj35-jtgq-8qbv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ckeditor/CVE-2021-37695.yml	38.1.0
2026-04-02T22:51:43.033634+00:00	GitLab Importer	Affected by	VCID-sd2a-hmu2-wbax	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ckeditor/CVE-2021-32809.yml	38.1.0
2026-04-02T22:40:07.836075+00:00	GitLab Importer	Affected by	VCID-c8r2-wpf3-47f9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ckeditor/CVE-2021-26271.yml	38.1.0
2026-04-02T22:40:02.320964+00:00	GitLab Importer	Affected by	VCID-h5zz-wz8f-2uf6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ckeditor/CVE-2021-26272.yml	38.1.0
2026-04-01T18:09:42.999636+00:00	GitLab Importer	Affected by	VCID-k7qp-c6vp-sqbg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ckeditor/CVE-2023-28439.yml	38.0.0
2026-04-01T17:26:36.414392+00:00	GitLab Importer	Affected by	VCID-xhp7-kqdk-tfeu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ckeditor/CVE-2022-24729.yml	38.0.0
2026-04-01T17:26:26.955199+00:00	GitLab Importer	Affected by	VCID-un66-k85j-b7d2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ckeditor/CVE-2022-24728.yml	38.0.0
2026-04-01T17:09:51.891082+00:00	GitLab Importer	Affected by	VCID-vj35-jtgq-8qbv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ckeditor/CVE-2021-37695.yml	38.0.0
2026-04-01T17:09:49.383011+00:00	GitLab Importer	Affected by	VCID-sd2a-hmu2-wbax	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ckeditor/CVE-2021-32809.yml	38.0.0
2026-04-01T16:57:38.277046+00:00	GitLab Importer	Affected by	VCID-c8r2-wpf3-47f9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ckeditor/CVE-2021-26271.yml	38.0.0
2026-04-01T16:57:31.331404+00:00	GitLab Importer	Affected by	VCID-h5zz-wz8f-2uf6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ckeditor/CVE-2021-26272.yml	38.0.0