VulnerableCode Package Details - pkg:npm/ckeditor@4.0.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-39xu-3gsh-hbe9 Aliases: CVE-2022-24728 GHSA-4fc4-4p5g-6w89	CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds.	There are no reported fixed by versions.
VCID-pwe8-razn-buae Aliases: CVE-2018-17960 GHSA-g68x-vvqq-pvw3	Ckeditor XSS Vulnerability CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste. It was possible to execute XSS inside the CKEditor source area after persuading the victim to: (i) switch CKEditor to source mode, then (ii) paste a specially crafted HTML code, prepared by the attacker, into the opened CKEditor source area, and (iii) switch back to WYSIWYG mode. Although this is an unlikely scenario, it is recommended to upgrade to the latest editor version.	4.11.0 Affected by 0 other vulnerabilities.
VCID-v8en-17hx-mqbv Aliases: CVE-2023-28439 GHSA-vh5c-xwqv-cv9g	CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered affecting Iframe Dialog and Media Embed packages. The vulnerability may trigger a JavaScript code after fulfilling special conditions: using one of the affected packages on a web page with missing proper Content Security Policy configuration; initializing the editor on an element and using an element other than `<textarea>` as a base; and destroying the editor instance. This vulnerability might affect a small percentage of integrators that depend on dynamic editor initialization/destroy mechanism. A fix is available in CKEditor4 version 4.21.0. In some rare cases, a security fix may be considered a breaking change. Starting from version 4.21.0, the Iframe Dialog plugin applies the `sandbox` attribute by default, which restricts JavaScript code execution in the iframe element. To change this behavior, configure the `config.iframe_attributes` option. Also starting from version 4.21.0, the Media Embed plugin regenerates the entire content of the embed widget by default. To change this behavior, configure the `config.embed_keepOriginalContent` option. Those who choose to enable either of the more permissive options or who cannot upgrade to a patched version should properly configure Content Security Policy to avoid any potential security issues that may arise from embedding iframe elements on their web page.	There are no reported fixed by versions.
VCID-xgxf-ad4q-5kaq Aliases: CVE-2022-24729 GHSA-f6rf-9m92-x2hh	CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds.	4.18.0 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-39xu-3gsh-hbe9
Aliases:
CVE-2022-24728
GHSA-4fc4-4p5g-6w89

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds.

There are no reported fixed by versions.

VCID-pwe8-razn-buae
Aliases:
CVE-2018-17960
GHSA-g68x-vvqq-pvw3

Ckeditor XSS Vulnerability CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste. It was possible to execute XSS inside the CKEditor source area after persuading the victim to: (i) switch CKEditor to source mode, then (ii) paste a specially crafted HTML code, prepared by the attacker, into the opened CKEditor source area, and (iii) switch back to WYSIWYG mode. Although this is an unlikely scenario, it is recommended to upgrade to the latest editor version.

4.11.0
Affected by 0 other vulnerabilities.

VCID-v8en-17hx-mqbv
Aliases:
CVE-2023-28439
GHSA-vh5c-xwqv-cv9g

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered affecting Iframe Dialog and Media Embed packages. The vulnerability may trigger a JavaScript code after fulfilling special conditions: using one of the affected packages on a web page with missing proper Content Security Policy configuration; initializing the editor on an element and using an element other than `<textarea>` as a base; and destroying the editor instance. This vulnerability might affect a small percentage of integrators that depend on dynamic editor initialization/destroy mechanism. A fix is available in CKEditor4 version 4.21.0. In some rare cases, a security fix may be considered a breaking change. Starting from version 4.21.0, the Iframe Dialog plugin applies the `sandbox` attribute by default, which restricts JavaScript code execution in the iframe element. To change this behavior, configure the `config.iframe_attributes` option. Also starting from version 4.21.0, the Media Embed plugin regenerates the entire content of the embed widget by default. To change this behavior, configure the `config.embed_keepOriginalContent` option. Those who choose to enable either of the more permissive options or who cannot upgrade to a patched version should properly configure Content Security Policy to avoid any potential security issues that may arise from embedding iframe elements on their web page.

There are no reported fixed by versions.

VCID-xgxf-ad4q-5kaq
Aliases:
CVE-2022-24729
GHSA-f6rf-9m92-x2hh

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds.

4.18.0
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-01T18:13:59.603058+00:00	GitLab Importer	Affected by	VCID-v8en-17hx-mqbv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ckeditor/CVE-2023-28439.yml	36.1.3
2025-07-01T18:12:50.126640+00:00	GitLab Importer	Affected by	VCID-xgxf-ad4q-5kaq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ckeditor/CVE-2022-24729.yml	36.1.3
2025-07-01T18:12:49.567258+00:00	GitLab Importer	Affected by	VCID-39xu-3gsh-hbe9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ckeditor/CVE-2022-24728.yml	36.1.3
2025-07-01T18:11:19.654608+00:00	GitLab Importer	Affected by	VCID-pwe8-razn-buae	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ckeditor/CVE-2018-17960.yml	36.1.3