GHSA-25fq-6qgg-qpj8

Source

https://github.com/advisories/GHSA-25fq-6qgg-qpj8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-25fq-6qgg-qpj8/GHSA-25fq-6qgg-qpj8.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-25fq-6qgg-qpj8

Aliases

CVE-2026-25581

Published

2026-02-06T18:34:30Z

Modified

2026-02-06T22:22:53.782187Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

SCEditor has DOM XSS via emoticon URL/HTML injection

Details

If an attacker has the ability control configuration options passed to sceditor.create(), like emoticons, charset, etc. then it's possible for them to trigger an XSS attack due to lack of sanitisation of configuration options.

Proof of concept:

sceditor.create(textarea, {
  emoticons: {
    dropdown: { ':)': { url: 'x" onerror="window.__xss = true' } }
  }
});

Database specific

{
    "github_reviewed_at": "2026-02-06T18:34:30Z",
    "nvd_published_at": "2026-02-06T21:16:17Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true
}

References

Affected packages

npm / sceditor

Package

Name: sceditor; View open source insights on deps.dev
Purl: pkg:npm/sceditor

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.2.1

Database specific

last_known_affected_version_range

"<= 3.2.0"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-25fq-6qgg-qpj8/GHSA-25fq-6qgg-qpj8.json"