CVE-2025-13980

CVE-2025-13980: CKEditor 5 Premium Features - Moderately critical - Access bypass - SA-CONTRIB-2025-118

Vendor Drupal
Product CKEditor 5 Premium Features
Weakness CWE-288
Published January 28, 2026
Last update January 29, 2026

CVSS base score

What the vulnerability does

01Description

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CKEditor 5 Premium Features allows Functionality Bypass.This issue affects CKEditor 5 Premium Features: from 0.0.0 before 1.2.10, from 1.3.0 before 1.3.6, from 1.4.0 before 1.4.3, from 1.5.0 before 1.5.1, from 1.6.0 before 1.6.4.

Explanation of Vulnerability in Simple Terms

02Summary

A vulnerability in the Drupal CKEditor 5 Premium Features module allows attackers to bypass authentication mechanisms. The module fails to properly validate user credentials or session tokens, potentially allowing unauthorized access to editor functionality. All versions before 1.2.10 are affected. Site administrators should update immediately to version 1.2.10 or later.

What an attacker can do

03Attacker Capabilities

Bypass authentication to access CKEditor 5 Premium Features without valid credentials.

Potential impact on your site

04Site Impact

Unauthorized users may access premium editor features or sensitive content editing capabilities.

Conditions required to exploit

05Prerequisites

Network access to the Drupal site; specific attack method unclear due to missing CVSS data.

Key dates

06Disclosure timeline

January 28, 2026 CVE published
January 29, 2026 Record updated