Webform - Moderately critical - Cross Site Scripting - SA-CONTRIB-2021-026

Webform - Moderately critical - Cross Site Scripting - SA-CONTRIB-2021-026

Project: Webform
Date: 2021-August-25
Security risk: Moderately critical 12∕25
Vulnerability: Cross Site Scripting


The Webform module uses the CKEditor, library for WYSIWYG editing. CKEditor has released a security update that impacts Webform.

An attacker that can create or edit content (even without access to CKEditor themselves) may be able to exploit one or more Cross-Site Scripting (XSS) vulnerabilities to target users with access to the WYSIWYG CKEditor, including site admins with privileged access.

For more information, see CKEditor's announcement of the release.


Install the latest version:

If you use the Webform module module for Drupal 8/9 upgrade to Webform 8.x-5.28 or Webform 6.0.5.

If you are using a previous release of the Webform module you can immediately do one of several options.

  • Update Drupal
  • If you are using Composer, run drush webform:libraries:composer > DRUPAL_ROOT/composer.libraries.json and run composer update
  • If you are using Drush, run drush webform:libraries:update

Learn more about updating Webform libraries.

Nick Onom's picture
Nick Onom
Marketing Project Manager
Enthusiastic about all kinds of Open Source applications, AI, bitcoins, but mostly Drupal and Backdrop. For last years has been actively developing AltaGrade's new back-end system.

We value your opinion. Please add your feedback.