- Backdrop Core 1.19.x versions prior to 1.19.1
- Backdrop Core 1.18.x versions prior to 1.18.5
Backdrop versions 1.17 and prior do not receive security coverage.
Backdrop core uses the third-party CKEditor library. This library has an error in parsing HTML that could lead to an XSS attack.
Update: 2021-06-11: More details are available on CKEditor's blog.