We are happy to announce the release of CKEditor 5 v47.7.1.
Release highlights
The release addresses a vulnerability identified in the protobuf.js package (CVE-2026-41242), used within our @ckeditor/ckeditor5-operations-compressor package for real-time collaboration.
Our analysis confirms that this vulnerability does not affect CKEditor 5, as all protobuf definitions are static and pre-compiled at build time, and are never parsed or compiled from untrusted input at runtime - which is the condition required to exploit this issue.
This release primarily aims to ensure that our customers using real-time collaboration features do not encounter unnecessary security alerts from their scanning tools. We are committed to maintaining the highest security standards, and this update reflects our ongoing efforts to safeguard user environments proactively.
Released packages
Check out the Versioning policy guide for more information.
Other releases:
Released packages (summary)