View online: https://www.drupal.org/sa-contrib-2025-118
Project: CKEditor 5 Premium Features [1] Date: 2025-December-03 Security risk: *Moderately critical* 13 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:All [2] Vulnerability: Access bypass
Affected versions: <1.2.10 || >=1.3.0 <1.3.6 || >=1.4.0 <1.4.3 || >=1.5.0 <1.5.1 || >=1.6.0 <1.6.4 CVE IDs: CVE-2025-13980 Description: The module provides instant integration of the official CKEditor 5 Premium plugins into the Drupal editor configuration.
This module has a path traversal vulnerability, which allows an access bypass to restricted image files in the system.
This access bypass is possible for any account with a /View published content/ permission, but the risk is mitigated by the fact that only images can be opened.
Solution: Install the latest version:
* If you use the 10.3 or higher or 11.x versions of Drupal core, upgrade the module to CKEditor 5 Premium Features 1.6.4 [3]. * If you use the 10.0 to 10.2 versions of Drupal core, upgrade the module to CKEditor 5 Premium Features 1.5.1 [4]. * If you use the 9.x version of Drupal core, upgrade the module to CKEditor 5 Premium Features 1.3.6 [5].
A fix was also released to already unsupported branches. However, we recommend to use the latest version that works with the version of Drupal core that you're using:
* CKEditor 5 Premium Features 1.4.3 [6]. * CKEditor 5 Premium Features 1.2.10 [7].
After the module is updated, if you are using the Export to Word or Export to PDF plugins, please grant the /Use exporters endpoints/ permission to roles that are allowed to use text formats with export plugins enabled.
Reported By: * Wojciech Kukowski (salmonek) [8]
Fixed By: * Wojciech Kukowski (salmonek) [9]
Coordinated By: * Greg Knaddison (greggles) [10] of the Drupal Security Team * Juraj Nemec (poker10) [11] of the Drupal Security Team * Jess (xjm) [12] of the Drupal Security Team
------------------------------------------------------------------------------ Contribution record [13]
[1] https://www.drupal.org/project/ckeditor5_premium_features [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/ckeditor5_premium_features/releases/1.6.4 [4] https://www.drupal.org/project/ckeditor5_premium_features/releases/1.5.1 [5] https://www.drupal.org/project/ckeditor5_premium_features/releases/1.3.6 [6] https://www.drupal.org/project/ckeditor5_premium_features/releases/1.4.3 [7] https://www.drupal.org/project/ckeditor5_premium_features/releases/1.2.10 [8] https://www.drupal.org/u/salmonek [9] https://www.drupal.org/u/salmonek [10] https://www.drupal.org/u/greggles [11] https://www.drupal.org/u/poker10 [12] https://www.drupal.org/u/xjm [13] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal....