CVE-2024-24816

MEDIUM

CKEditor4 < 4.24.0-lts - Cross-Site Scripting via Preview Feature

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-24816. PoCs published by afine-com.

AI-analyzed exploit summary The repository provides a detailed technical analysis of CVE-2024-24816, an XSS vulnerability in CKEditor 4's preview feature. It includes the root cause, affected versions, and a proof-of-concept payload demonstrating the vulnerability.

Description

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability vulnerability has been discovered in versions prior to 4.24.0-lts in samples that use the `preview` feature. All integrators that use these samples in the production code can be affected. The vulnerability allows an attacker to execute JavaScript code by abusing the misconfigured preview feature. It affects all users using the CKEditor 4 at version < 4.24.0-lts with affected samples used in a production environment. A fix is available in version 4.24.0-lts.

Exploits (1)

nomisec WRITEUP 2 stars

by afine-com · poc

https://github.com/afine-com/CVE-2024-24816

View Code ZIP pw:eip

The repository provides a detailed technical analysis of CVE-2024-24816, an XSS vulnerability in CKEditor 4's preview feature. It includes the root cause, affected versions, and a proof-of-concept payload demonstrating the vulnerability.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: CKEditor 4 < 4.24.0-lts

No auth needed

Prerequisites: Access to a CKEditor 4 instance with the preview feature enabled

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (3)

Core 3

Core References

Vendor Advisory x_refsource_confirm

https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-mw2c-vx6j-mg76

Patch x_refsource_misc

https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb

View Patch ZIP pw:eip

Product x_refsource_misc

https://ckeditor.com/cke4/addon/preview

Scores

CVSS v3 6.1

EPSS 0.3983

EPSS Percentile 97.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (2)

ckeditor/ckeditor 4.0 - 4.24.0

npm/ckeditor4 0 - 4.24.0-ltsnpm

Published Feb 07, 2024

Tracked Since Feb 18, 2026