Aikido Intel
Secure My Code
Intel

AIKIDO-2025-10893

drupal/ckeditor5_premium_features is vulnerable to Access bypass

Access bypassCVE-2025-13980

60

Medium Risk

This Affects:

PHPdrupal/ckeditor5_premium_features
0.0.1 - 1.2.9
Fixed in 1.2.10
1.3.0 - 1.3.5
Fixed in 1.3.6
1.4.0 - 1.4.2
Fixed in 1.4.3
1.5.0 - 1.5.0
Fixed in 1.5.1
1.6.0 - 1.6.3
Fixed in 1.6.4

TL;DR

Affected versions of this package are vulnerable to access bypass: the module that integrates CKEditor 5 Premium plugins into Drupal exposes a path traversal vulnerability that lets users with only the *view published content* permission access restricted image files. The impact stays limited because only images can be opened.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

drupal/ckeditor5_premium_features is vulnerable to Access bypass in versions 0.0.1 - 1.2.9, 1.3.0 - 1.3.5, 1.4.0 - 1.4.2, 1.5.0 - 1.5.0 and 1.6.0 - 1.6.3.

How to fix this

Upgrade the drupal/ckeditor5_premium_features library to the patch version.

Links

Get Secure Now

Secure your code, cloud, and runtime environments in one central system. Find and fix vulnerabilities automatically.

Start for Free
Book a Demo

No credit card required | Scan results in 32secs.

Aikido Platform
Subscribe
Stay up to date with all updates
LinkedIn YouTube X
© 2026 Aikido Security BV | BE0792914919
Ghent, Belgium | San Francisco, US
SOC 2SOC 2Compliant
ISO 27001ISO 27001Compliant
Get Security Done