Under certain uncommon site configurations, a bug in the CKEditor 5 module can cause some image uploads to move the entire webroot to a different location on the file system. This could be exploited by a malicious user to take down a site.

The issue is mitigated by the fact that several non-default site configurations must exist simultaneously for this to occur.

Affected Packages

Packagist drupal/core

Affected versions: 10.0.0 (fixed in 10.2.10)

Related CVEs

CVE-2024-11942

Key Information

GHSA ID

GHSA-52jr-x6h6-xj6g

Published

December 5, 2024 3:31 PM

Last Modified

December 5, 2024 7:58 PM

CVSS Score

5.0 /10

Primary Ecosystem

Packagist

Primary Package

drupal/core

GitHub Reviewed

✓ Yes

Dataset

Last updated: June 18, 2025 6:25 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.