ckeditor is vulnerable to cross-site scripting (XSS) attacks. The vulnerability exists due to the lack of sanitization on the value entered in the CKEditor source area, allowing XSS attacks to occur when switched to WYSIWYG mode.
ckeditor.com/blog/CKEditor-4.11-with-emoji-dropdown-and-auto-link-on-typing-released/
ckeditor.com/cke4/release/CKEditor-4.11.0
github.com/ckeditor/ckeditor-releases/commit/771a944d579c099f6af3d6c9e4b6cc3099b3d24b
github.com/ckeditor/ckeditor4/commit/f4c14b67f49e2e03c4009745d086e3e6989f6f56
github.com/ckeditor/ckeditor4/pull/2487