SCEditor affected by DOM XSS via emoticon URL/HTML injection

5.4 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Description

SCEditor is a lightweight WYSIWYG BBCode and XHTML editor. Prior to 3.2.1, if an attacker has the ability control configuration options passed to sceditor.create(), like emoticons, charset, etc. then it's possible for them to trigger an XSS attack due to lack of sanitisation of configuration options. This vulnerability is fixed in 3.2.1.

Basic Information

ID CVE-2026-25581

Source GitHub_M

Published Feb 6, 2026 at 20:58

Affected Product

Vendor samclarke

Product SCEditor

Version < 3.2.1

Affected Versions samclarke SCEditor < 3.2.1

CWE Classification

CWE-79

References

{
    "lastseen": "",
    "description": "SCEditor is a lightweight WYSIWYG BBCode and XHTML editor. Prior to 3.2.1, if an attacker has the ability control configuration options passed to sceditor.create(), like emoticons, charset, etc. then it's possible for them to trigger an XSS attack due to lack of sanitisation of configuration options. This vulnerability is fixed in 3.2.1.",
    "published": "2026-02-06T20:58:02.788Z",
    "modified": "2026-02-06T20:58:02.788Z",
    "type": "cve",
    "title": "SCEditor affected by DOM XSS via emoticon URL/HTML injection",
    "source": "GitHub_M",
    "references": "https://github.com/samclarke/SCEditor/security/advisories/GHSA-25fq-6qgg-qpj8\nhttps://github.com/samclarke/SCEditor/commit/5733aed4f0e257cb78e1ba191715fc458cbd473d",
    "id": "CVE-2026-25581",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "samclarke SCEditor < 3.2.1",
    "sourceHref": "",
    "cvss": {
        "score": 5.4,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "SCEditor",
    "version": "< 3.2.1",
    "vendor": "samclarke",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

SCEditor affected by DOM XSS via emoticon URL/HTML injection_CVE-2026-25581