CVE-2026-28343 is a cross-site scripting (XSS) vulnerability identified in CKEditor 5, a widely used modern JavaScript rich-text editor with an MVC architecture. The vulnerability resides in the General HTML Support feature, which allows users to insert arbitrary HTML markup. Prior to version 47.6.0, if the editor instance was configured with an unsafe General HTML Support setup, specially crafted markup could be injected that bypasses input neutralization controls. This leads to unauthorized execution of JavaScript code within the context of the affected web application. The vulnerability requires the attacker to have low privileges (PR:L) but does not require user interaction (UI:N), and it can be exploited remotely over the network (AV:N). The scope is changed (S:C), meaning the vulnerability can affect resources beyond the initially vulnerable component. The CVSS v3.1 base score is 6.4, reflecting medium severity, with impacts on confidentiality and integrity but not availability. The issue has been patched in CKEditor 5 version 47.6.0. No known exploits have been reported in the wild, but the vulnerability poses a significant risk if the unsafe configuration is present in production environments. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation.

The primary impact of this vulnerability is unauthorized execution of JavaScript code in the context of affected web applications, which can lead to data theft, session hijacking, or manipulation of web content. This compromises the confidentiality and integrity of user data and application state. Since CKEditor 5 is embedded in many web platforms globally, vulnerable instances could be targeted to perform phishing, defacement, or further attacks on users. The vulnerability does not affect availability directly but can undermine user trust and lead to reputational damage. Organizations relying on CKEditor 5 with unsafe General HTML Support configurations are at risk, especially those handling sensitive user data or operating in regulated industries. The ease of exploitation is moderate due to the low privilege requirement but no user interaction needed, increasing the likelihood of automated or targeted attacks if the vulnerability is discovered and weaponized.

Organizations should immediately upgrade CKEditor 5 to version 47.6.0 or later, where the vulnerability is patched. Review and harden the General HTML Support configuration to restrict allowed HTML elements and attributes, minimizing the attack surface. Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. Conduct thorough input validation and output encoding on all user-supplied content, even when using rich-text editors. Regularly audit third-party components like CKEditor for updates and vulnerabilities. Employ runtime application self-protection (RASP) or web application firewalls (WAF) with rules tuned to detect and block XSS payloads targeting CKEditor instances. Educate developers and administrators about secure configuration practices for rich-text editors to prevent unsafe setups.