The latest open-source CKEditor4 release has security vulnerabilities.
Wasn’t able to find any information about the strategy of xWiki to handle the CKEditor Integration extension development.
What is the official statement of xWiki community?
Is there any way to upgrade CKEditor or use other alternative?
Do you plan to migrate to CKEditor5 in next releases?
The migration might be complicated and some of the features are available only with paid license…
so @mflorea would probably give you better answers, but short answer is no we don’t use CKEditor 4 - LTS but latest version of CKEditor which reached end of life support.
You can see a big discussion on Hi! Have any plan to use ckeditor 5 in XWiki? about the difficulty to migrate to CKEditor 5. We’re actively working on finding an alternative, you can check Choice of editor, we’re using Cristal development as a playground to also take a decision for the future editor in XWiki.
We’re not aware that the known vulnerabilities would affect the usage of CKEditor 4 in XWiki. We’re currently exploring replacing CKEditor by BlockNote by experimenting with it in Cristal, but it will take time to fully replace it in XWiki.
They let users to use LTS version of CKEditor4 with updates guaranted till december 2028.
Or at least some guide how to replace the built-in OSS version with the LTS might help.
To be honest, it is affecting the trust in your community.
Could you at least make it visible somewhere or warn users in some way?
There are 4-5 CVE’s affecting the oss CKEditor4, two of them of CVSS score 6+. Not sure which of them are affecting xWiki.
