CKEditor 5 v44.2.1 Release Highlights: Security fix introduced

The CKEditor 5 v44.2.1 has been released to address a Cross-Site Scripting (XSS) vulnerability (CVE-2025-25299) in the real-time collaboration package.

# UPDATED Security Fix for Real-time Collaboration Package

During an internal audit, a Cross-Site Scripting (XSS) vulnerability (CVE-2025-25299) was discovered in the CKEditor 5 real-time collaboration package. This vulnerability could potentially allow unauthorized JavaScript execution, and affects user markers, which represent users’ positions within the document.

This vulnerability impacts only installations of versions between v41.3.0 and v44.2.0 that are configured with Real-time collaborative editing.

For more details you can refer to the security advisory or contact us if you have more questions.

# Quick links for CKEditor v44.2.0

• Download the latest version of CKEditor: CDN, npm or zip packages.

• CKEditor 5 Builder

• CKEditor 5 installation guides

• CKEditor 5 documentation

• CKEditor 5 changelog

• CKEditor 5 pricing 

• CKEditor 5 license

• Getting support for CKEditor 5 

• Report issues on GitHub repository

# Learn more about previous CKEditor 5 versions

• CKEditor 5 v44.2.0 Release Highlights: Introducing Enhanced Source Code Editing, Image Optimizer, Emoji feature, and more

• CKEditor 5 v44.0.0 Release Highlights: Introducing Self-Service Plans and the Bookmarks Feature

• CKEditor 5 v43.3.0: Bug Fixes, Performance Improvements and Export to Word Watermark Support

• CKEditor v43.1.1 Release Highlights: Security fix introduced

• CKEditor v43.0.0 Release Highlights - All-new Merge Fields and Export to Word v2

• CKEditor v42.0.0 Release Highlights: new installation methods and builder unveiled