CKEditor 5 is a modern JavaScript rich-text editor with an MVC architecture. Starting in version 29.0.0 and prior to version 47.6.0, a cross-site scripting (XSS) vulnerability has been discovered in the General HTML Support feature. This vulnerability could be triggered by inserting specially crafted markup, leading to unauthorized JavaScript code execution, if the editor instance used an unsafe General HTML Support configuration. This issue has been patched in version 47.6.0.

The version of CKEditor included on the remote web host prior to 47.6.0. It may, therefore, be affected by a cross-site scripting (XSS) vulnerability. 

  - CKEditor 5 is a modern JavaScript rich-text editor with an MVC architecture. Prior to version 47.6.0, a     cross-site scripting (XSS) vulnerability has been discovered in the General HTML Support feature. This     vulnerability could be triggered by inserting specially crafted markup, leading to unauthorized     JavaScript code execution, if the editor instance used an unsafe General HTML Support configuration. This     issue has been patched in version 47.6.0. (CVE-2026-28343)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to its self-reported version number, the CKEditor application running on the remote host is prior to 47.6.0. It is, therefore, affected by a Cross-Site Scripting (XSS) vulnerability in the General HTML Support feature.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - CKEditor 5 is a modern JavaScript rich-text editor with an MVC architecture. Starting in version 29.0.0     and prior to version 47.6.0, a cross-site scripting (XSS) vulnerability has been discovered in the General     HTML Support feature. This vulnerability could be triggered by inserting specially crafted markup, leading     to unauthorized JavaScript code execution, if the editor instance used an unsafe General HTML Support     configuration. This issue has been patched in version 47.6.0. (CVE-2026-28343)

Note that Nessus relies on the presence of the package as reported by the vendor.

ID	Name	Product	Family	Severity
301995	CKEditor < 47.6.0 XSS	Nessus	CGI abuses : XSS	medium
115159	CKEditor < 47.6.0 Cross-Site Scripting	Web App Scanning	Component Vulnerability	medium
301533	Linux Distros Unpatched Vulnerability : CVE-2026-28343	Nessus	Misc.	medium

Detections

Analytics

CVE-2026-28343

medium

Tenable Plugins

medium

medium

medium