Important update for CKEditor 4 Users

[jacekbogdanski]

As we approach the one-year anniversary of CKEditor 4 reaching its end of life, it's crucial to emphasize the importance of maintaining a secure software environment.

Starting July 1st, we'll activate security notifications for CKEditor 4. This change will impact the open-source version 4.22 and all earlier versions served via our CDN. These notifications will alert users and integrators to the presence of unsecured CKEditor 4 versions, which may be vulnerable to security threats. As of this writing, the latest secure version of CKEditor 4 is 4.24.0-lts. Applications using secure CKEditor 4 versions won’t be impacted by these notifications.

Our aim with this initiative is to raise awareness about the risks associated with using version 4.22 and below, which have known security vulnerabilities. We want to ensure all integrators are informed and able to make informed decisions about their next steps.

Options for Integrators

For integrators, we recognize that seeing these notifications may not always be ideal. Therefore, CKEditor 4 includes an option to disable these security notifications. However, while this may offer temporary relief, we strongly advise against continuing to use an unsecured version of CKEditor 4. Disabling notifications without addressing underlying security risks leaves your application exposed to potential threats.

For those interested in using the latest, secure version of CKEditor 4, reach out to us regarding obtaining a CKE 4 LTS license.

You may manually disable security notifications for the editor using the following configuration option: config.versionCheck

CKEDITOR.replace( 'editor', {
    // Disable security notifications.
    versionCheck: false
} );

We’ve prepared additional content to help you learn more about our Extended Support Model for CKEditor 4 and how we can help keep your application secure.