CVE-2026-25581 | THREATINT

Description

SCEditor is a lightweight WYSIWYG BBCode and XHTML editor. Prior to 3.2.1, if an attacker has the ability control configuration options passed to sceditor.create(), like emoticons, charset, etc. then it's possible for them to trigger an XSS attack due to lack of sanitisation of configuration options. This vulnerability is fixed in 3.2.1.

PUBLISHED Reserved 2026-02-03 | Published 2026-02-06 | Updated 2026-02-06 | Assigner GitHub_M

MEDIUM: 5.4CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

< 3.2.1

affected

References

github.com/...Editor/security/advisories/GHSA-25fq-6qgg-qpj8

github.com/...ommit/5733aed4f0e257cb78e1ba191715fc458cbd473d

cve.org (CVE-2026-25581)

nvd.nist.gov (CVE-2026-25581)

Download JSON