GHSA-cj3w-g42v-wcj6: 
PHP vulnerability analysis and mitigation

The vulnerability (GHSA-cj3w-g42v-wcj6) affects the RichText field type in ibexa/fieldtype-richtext package, discovered in April 2025. This high-severity XML External Entity (XXE) injection vulnerability affects versions 4.6.* of the package, with version 4.6.19 providing the patch. The vulnerability was discovered and reported by security researchers from Compass Security Deutschland GmbH (GitHub Advisory).

The vulnerability allows attackers with editor privileges to perform XML external entity (XXE) injection attacks by crafting malicious input into the RichText XML. The issue received a CVSS v4 base score of 7.1 (High), with attack vectors including Network accessibility, Low attack complexity, and requiring Low privileges. The vulnerability primarily impacts system confidentiality (GitHub Advisory).

If successfully exploited, the vulnerability could allow attackers to read files on the server through XXE injection. The impact is particularly concerning for content that has already been published, as the malicious content cannot be automatically detected or removed once stored in the system (GitHub Advisory, Ibexa Advisory).

The primary mitigation is to upgrade to the patched version 4.6.19. The fix removes unsafe elements from XML code while preserving safe elements. For organizations unable to update immediately, a workaround exists: ensure that editor access is strictly limited to trusted users and avoid granting edit permissions to external parties (GitHub Advisory).