April 18th, 2018
image2 plugin (which Drupal 8 core also uses).
We would like to thank the CKEditor team for patching the vulnerability and coordinating the fix and release process, and matching the Drupal core security window.
- If you are using Drupal 8, update to Drupal 8.5.2 or Drupal 8.4.7.
- The Drupal 7.x CKEditor contributed module is not affected if you are running CKEditor module 7.x-1.18 and using CKEditor from the CDN, since it currently uses a version of the CKEditor library that is not vulnerable.