CVE-2026-25581
- Source
- https://cve.org/CVERecord?id=CVE-2026-25581
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25581.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-25581
- Aliases
- Published
- 2026-02-06T20:58:02.788Z
- Modified
- 2026-03-14T12:47:39.379812Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- SCEditor affected by DOM XSS via emoticon URL/HTML injection
- Details
-
SCEditor is a lightweight WYSIWYG BBCode and XHTML editor. Prior to 3.2.1, if an attacker has the ability control configuration options passed to sceditor.create(), like emoticons, charset, etc. then it's possible for them to trigger an XSS attack due to lack of sanitisation of configuration options. This vulnerability is fixed in 3.2.1.
- Database specific
{ "cwe_ids": [ "CWE-79" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25581.json", "cna_assigner": "GitHub_M" }- References
Affected packages
Git / github.com/samclarke/SCEditor
Affected ranges
- Type
- GIT
- Repo
- https://github.com/samclarke/SCEditor
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
- Database specific
{ "versions": [ { "introduced": "0" }, { "fixed": "3.2.1" } ] }
- Type
- GIT
- Repo
- https://github.com/samclarke/sceditor
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
1.*
1.5.1
v1.*
v1.0
v1.1
v1.2
v1.2.1
v1.2.2
v1.2.3
v1.2.4
v1.2.5
v1.2.6
v1.2.7
v1.2.8
v1.2.9
v1.3.0
v1.3.1
v1.3.2
v1.3.4
v1.3.5
v1.3.6
v1.4.0
v1.4.1
v1.4.2
v1.4.3
v1.4.4
v1.4.6
v1.4.7
v1.5.0
v1.5.1
v1.5.2
v2.*
v2.0.0
v2.0.0-beta1
v2.1.0
v2.1.1
v2.1.2
v2.1.3
v3.*
v3.0.0
v3.1.0
v3.1.1
v3.2.0