Aikido Intel
Secure My Code
Intel

AIKIDO-2025-10893

drupal/ckeditor5_premium_features is vulnerable to Access bypass

Access bypassCVE-2025-13980 Published Dec 5, 2025

60

Medium Risk

This Affects:

PHPdrupal/ckeditor5_premium_features
0.0.1 - 1.2.9
Fixed in 1.2.10
1.3.0 - 1.3.5
Fixed in 1.3.6
1.4.0 - 1.4.2
Fixed in 1.4.3
1.5.0 - 1.5.0
Fixed in 1.5.1
1.6.0 - 1.6.3
Fixed in 1.6.4
Are you affected? Scan for Free

TL;DR

Affected versions of this package are vulnerable to access bypass: the module that integrates CKEditor 5 Premium plugins into Drupal exposes a path traversal vulnerability that lets users with only the *view published content* permission access restricted image files. The impact stays limited because only images can be opened.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

drupal/ckeditor5_premium_features is vulnerable to Access bypass in versions 0.0.1 - 1.2.9, 1.3.0 - 1.3.5, 1.4.0 - 1.4.2, 1.5.0 - 1.5.0 and 1.6.0 - 1.6.3.

How to fix this

Upgrade the drupal/ckeditor5_premium_features library to the patch version.

Links

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Scan for Free
Book a Demo

Free. No credit card required.

Aikido Platform
Subscribe
Stay up to date with all updates
LinkedIn YouTube X
© 2026 Aikido Security BV | BE0792914919
Ghent, Belgium | San Francisco, US
SOC 2SOC 2Compliant
ISO 27001ISO 27001Compliant
Get Security Done