CVE-2021-37695 | Execution of JavaScript code using malformed HTML in ckeditor

ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) package. The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version < 4.16.2. The problem has been recognized and patched. The fix will be available in version 4.16.2.

Published: 2021-08-12 Last update: 2026-06-17 Assigner: [email protected] Source: [email protected]

Conclusion & alert: CVE-2021-37695 is rated Moderate Risk (53.3/100): CVSS High severity, with medium exploitation likelihood (EPSS 1.32%). Mandatory action: Review affected assets and schedule remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2021-37695

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 0.74% 1.32% +0.58%
2 2026-03-04 0.37% 0.74% +0.37%
3 2026-03-01 0.37%

Full EPSS history (51 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2021-37695

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
7.3 3.1 HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:R)
A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:N)
Service keeps running; no real outage angle.
2.1 5.2 [email protected]
5.4 3.1 MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:R)
A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:L)
Some sensitive info could get out, but not a total data dump.
Integrity (I:L)
Attackers could change some data, but it’s limited—not everything goes.
Availability (A:N)
Service keeps running; no real outage angle.
2.3 2.7 [email protected]
3.5 2.0 LOW
AV:N/AC:M/Au:S/C:N/I:P/A:N Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:M)
Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:S)
A single authentication is required.
Confidentiality impact (C:N)
No confidentiality impact.
Integrity impact (I:P)
Partial integrity impact.
Availability impact (A:N)
No availability impact.
6.8 2.9 [email protected]

Weakness enumeration for CVE-2021-37695

GitHub Security Advisory for CVE-2021-37695

GHSA-m94c-37g6-cjhc · Severity: high · Ecosystem: npm — Fake objects feature vulnerability allowing to execute JavaScript code using malformed HTML.

OS Trackers for CVE-2021-37695

vendor priority summary link
debian unimportant CVE-2021-37695 unimportant priority: Debian including 2 source packages (ckeditor, ckeditor3), 4 status rows across 2 suites (bookworm, bullseye): resolved 3, open 1. https://security-tracker.debian.org/tracker/CVE-2021-37695
ubuntu medium CVE-2021-37695 medium priority: Ubuntu including 4 source packages (ckeditor, ckeditor3, ldap-account-manager, request-tracker4), 60 status rows across 15 suites (bionic, focal, hirsute, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): ignored 31, needs-triage 11, not-affected 9, DNE 5, released 4. https://ubuntu.com/security/CVE-2021-37695

Affected software / configurations for CVE-2021-37695

Vendor Product Version Raw CPE
ckeditor ckeditor < 4.16.2 cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:*:*:*:*
debian debian_linux 9.0 cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
fedoraproject fedora 33 cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
fedoraproject fedora 34 cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
fedoraproject fedora 35 cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
oracle application_express < 21.1.4 cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:*
oracle banking_party_management 2.7.0 cpe:2.3:a:oracle:banking_party_management:2.7.0:*:*:*:*:*:*:*
oracle commerce_guided_search 11.3.2 cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*
oracle commerce_merchandising 11.3.2 cpe:2.3:a:oracle:commerce_merchandising:11.3.2:*:*:*:*:*:*:*
oracle documaker 12.6.3 cpe:2.3:a:oracle:documaker:12.6.3:*:*:*:*:*:*:*
oracle documaker 12.6.4 cpe:2.3:a:oracle:documaker:12.6.4:*:*:*:*:*:*:*
oracle financial_services_analytical_applications_infrastructure >= 8.0.7, <= 8.1.1 cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*
oracle financial_services_analytical_applications_infrastructure 8.0.3 cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.3:*:*:*:*:*:*:*
oracle financial_services_model_management_and_governance >= 8.0.8.0.0, <= 8.1.0.0.0 cpe:2.3:a:oracle:financial_services_model_management_and_governance:*:*:*:*:*:*:*:*
oracle jd_edwards_enterpriseone_tools < 9.2.6.0 cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*
oracle peoplesoft_enterprise_peopletools 8.57 cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
oracle peoplesoft_enterprise_peopletools 8.58 cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
oracle peoplesoft_enterprise_peopletools 8.59 cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*

References for CVE-2021-37695

URL Tags
https://github.com/ckeditor/ckeditor4/commit/de3c001540715f9c3801aaa38a1917de46cfcf58 Patch Third Party Advisory
https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-m94c-37g6-cjhc Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/11/msg00007.html Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD/
https://www.oracle.com/security-alerts/cpujan2022.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html Patch Third Party Advisory
cvelogic Threat Intelligence