CIVI-SA-2021-09: CKEditor (Multiple Advisories)

2021-08-17 12:00
Written by
dev-team - member of the CiviCRM community - view blog guidelines

CiviCRM includes a rich text editing component, CKEditor, which recently released a security update (v4.16.2). This update addresses 3 security issues.

We expect that these vulnerabilities cannot be meaningfully exploited by automated bots or crawlers - but they may be exploitable with modest social-engineering. Thus, we advise upgrading (or using one of the alternative solutions below).

Security Risk
Moderately Critical
Cross Site Scripting
Affected Versions

CiviCRM 5.40.1 and earlier

Fixed Versions

CiviCRM version 5.40.2 and ESR version 5.39.2

Publication Date

The recommended solution is:

  • Upgrade to CiviCRM v5.40.2+ or v5.39.2+ (ESR)

If you need a short-term alternative, any ONE of the following will mitigate the vulnerability:

  • Perform a temporary upgrade to CKEditor v4.16.2+

  • Switch to CKEditor v5.x
    • Install the "CKEditor 5" extension (; also available for in-app download)
    • Navigate to "Administer => Customize Data and Screens => Display Preferences"
    • Change the "Wysiwig Editor" to CKEditor 5
  • Disable CKEditor
    • Navigate to "Administer => Customize Data and Screens => Display Preferences"
    • Change "Wysiwig Editor" to "Textarea"
  • Refrain from pasting third-party content into CKEditor



Anton Subbotin, Mika Kulmala, and the CKEditor team for identifying and fixing the vulnerabilities.

Jude Hungerford, Seamus Lee, and the CiviCRM security team for referring/porting to CiviCRM.