SCA: security update for @ckeditor/ckeditor5-clipboard, ckeditor5 (GHSA-x9gp-vjh6-3wv6)

low Tenable Self-Hosted Container Security Plugin ID 435182

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- CKEditor 5 is a modern JavaScript rich-text editor with an MVC architecture. ckeditor5 and
ckeditor5-clipboard versions 46.0.0 through 46.0.2 and 44.2.0 through 45.2.1 contain a Cross-Site
Scripting (XSS) vulnerability. Ability to exploit could be triggered by a specific user action (leading to
unauthorized JavaScript code execution) if the attacker managed to insert a malicious content into the
editor, which might happen with a very specific editor configuration. This vulnerability affects
installations where the editor configuration meets one of the following criteria: the HTML embed plugin is
enabled, or there is a custom plugin introducing an editable element where view RawElement is enabled.
This issue is fixed in versions 45.2.2 and 46.0.3 of both ckeditor5 and ckeditor5-clipboard.
(CVE-2025-58064)

See Also

https://github.com/advisories/GHSA-x9gp-vjh6-3wv6

Plugin Details

Severity: Low

ID: 435182

Version: Revision 1.10

Type: Local

Family: SCA Checks

Published: 9/3/2025

Updated: 6/8/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3.0

Vendor

Vendor Severity: Low

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2025-58064

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Low

Base Score: 2.3

Threat Score: 0.6

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 9/3/2025

Vulnerability Publication Date: 9/3/2025

Reference Information

CVE: CVE-2025-58064

cwe: CWE-79