Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Project:
Date:
2025-December-03
Vulnerability:
Access bypass
Affected versions:
<1.2.10 || >=1.3.0 <1.3.6 || >=1.4.0 <1.4.3 || >=1.5.0 <1.5.1 || >=1.6.0 <1.6.4
CVE IDs:
CVE-2025-13980
Description:
The module provides instant integration of the official CKEditor 5 Premium plugins into the Drupal editor configuration.
This module has a path traversal vulnerability, which allows an access bypass to restricted image files in the system.
This access bypass is possible for any account with a View published content permission, but the risk is mitigated by the fact that only images can be opened.
Solution:
Install the latest version:
- If you use the 10.3 or higher or 11.x versions of Drupal core, upgrade the module to CKEditor 5 Premium Features 1.6.4.
- If you use the 10.0 to 10.2 versions of Drupal core, upgrade the module to CKEditor 5 Premium Features 1.5.1.
- If you use the 9.x version of Drupal core, upgrade the module to CKEditor 5 Premium Features 1.3.6.
A fix was also released to already unsupported branches. However, we recommend to use the latest version that works with the version of Drupal core that you're using:
After the module is updated, if you are using the Export to Word or Export to PDF plugins, please grant the Use exporters endpoints permission to roles that are allowed to use text formats with export plugins enabled.
Reported By:
Fixed By:
Coordinated By:
- Greg Knaddison (greggles) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
- Jess (xjm) of the Drupal Security Team
