CVE-2025-61261

Publication date 7 November 2025

Last updated 12 November 2025

Ubuntu priority

Cvss 3 Severity Score

Description

A reflected cross-site scripting (XSS) vulnerability in CKeditor v46.1.0 & Angular v18.0.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
ckeditor	25.10 questing	Needs evaluation
	25.04 plucky	Needs evaluation
	24.04 LTS noble	Needs evaluation
	22.04 LTS jammy	Needs evaluation
	20.04 LTS focal	Needs evaluation
	18.04 LTS bionic	Needs evaluation
	16.04 LTS xenial	Needs evaluation
ckeditor3	25.10 questing	Not in release
	25.04 plucky	Needs evaluation
	24.04 LTS noble	Needs evaluation
	22.04 LTS jammy	Needs evaluation
	20.04 LTS focal	Needs evaluation
	18.04 LTS bionic	Needs evaluation
ldap-account-manager	25.10 questing	Needs evaluation
	25.04 plucky	Needs evaluation
	24.04 LTS noble	Needs evaluation
	22.04 LTS jammy	Needs evaluation
	20.04 LTS focal	Needs evaluation
	18.04 LTS bionic	Needs evaluation
	16.04 LTS xenial	Needs evaluation
request-tracker4	25.10 questing	Needs evaluation
	25.04 plucky	Needs evaluation
	24.04 LTS noble	Needs evaluation
	22.04 LTS jammy	Needs evaluation
	20.04 LTS focal	Needs evaluation
	18.04 LTS bionic	Needs evaluation
	16.04 LTS xenial	Needs evaluation

Notes

sbeattie

embedded copies of ckeditor are in ldap-account-manager, rt4, and rt5

rodrigo-zaiden

from the blog post this seems to affect Angular and being explored with CKeditor, not sure if there will be a fix for CKeditor.

Severity score breakdown

Parameter	Value
Base score	5.4 · Medium
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	Required
Scope	Unchanged
Confidentiality	Low
Integrity impact	Low
Availability impact	None
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N