CVE-2026-25581
Unknown Unknown - Not Provided
Cross-Site Scripting in SCEditor Configuration Options Before

Publication date: 2026-02-06

Last updated on: 2026-02-19

Assigner: GitHub, Inc.

Description
SCEditor is a lightweight WYSIWYG BBCode and XHTML editor. Prior to 3.2.1, if an attacker has the ability control configuration options passed to sceditor.create(), like emoticons, charset, etc. then it's possible for them to trigger an XSS attack due to lack of sanitisation of configuration options. This vulnerability is fixed in 3.2.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-06
Last Modified
2026-02-19
Generated
2026-06-16
AI Q&A
2026-02-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25581
EUVD
EUVD-2026-5575
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sceditor sceditor to 3.2.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-25581 is a moderate severity DOM-based Cross-Site Scripting (XSS) vulnerability in the SCEditor package versions up to 3.2.0. It occurs because configuration options passed to the sceditor.create() function, such as emoticons and charset, are not properly sanitized. This allows an attacker who can control these configuration options to inject malicious scripts that execute in the context of the editor, leading to XSS attacks.

The vulnerability arises from insufficient validation and sanitization of user-controllable inputs in configuration options, enabling injection of unsafe HTML, CSS, or JavaScript. The issue was fixed in version 3.2.1 by enhancing input sanitization, URI scheme validation, escaping of inserted parameters, and restricting unsafe attributes and URLs.

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary JavaScript code in the context of the affected application using SCEditor. This can lead to unauthorized actions such as stealing user credentials, session tokens, or other sensitive information accessible via the browser.

The impact includes limited confidentiality and integrity loss, as the attacker can inject scripts that manipulate or access data within the editor or the surrounding web page. However, there is no impact on availability.

Exploitation requires the attacker to control configuration options passed to the editor and some user interaction, but privileges required are low and the attack complexity is low, making it a realistic threat in vulnerable environments.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves improper sanitization of configuration options passed to the sceditor.create() function, which can lead to XSS attacks if malicious scripts are injected via options like emoticons or charset.'}, {'type': 'paragraph', 'content': 'To detect this vulnerability on your system, you can check the version of SCEditor in use and inspect any configuration options passed to sceditor.create() for unsafe or suspicious values, especially in emoticons or charset settings.'}, {'type': 'paragraph', 'content': 'Since this is a client-side JavaScript library vulnerability, network detection might involve monitoring for suspicious payloads or script injections in web traffic related to SCEditor usage.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect vulnerable versions or unsafe configurations could include:'}, {'type': 'list_item', 'content': 'Use grep or similar tools to find SCEditor version in your codebase: `grep -r "sceditor" ./`'}, {'type': 'list_item', 'content': 'Check package.json or lock files for sceditor version: `grep sceditor package.json package-lock.json yarn.lock`'}, {'type': 'list_item', 'content': 'Search for usage of sceditor.create() and inspect configuration options for unsafe values: `grep -r "sceditor.create" ./`'}, {'type': 'list_item', 'content': 'Monitor web application logs or use browser developer tools to detect injected scripts or unexpected event handlers in emoticon URLs or charset attributes.'}] [2, 1]

Mitigation Strategies

The primary mitigation step is to upgrade SCEditor to version 3.2.1 or later, where this vulnerability has been fixed by enhancing input sanitization and URI validation.

If upgrading immediately is not possible, ensure that any configuration options passed to sceditor.create(), such as emoticons and charset, are strictly validated and sanitized to prevent injection of malicious scripts.

Avoid allowing untrusted users to control or modify configuration options that affect SCEditor initialization.

Review and implement input sanitization measures similar to those introduced in the fix, including:

  • Validating attributes like style and charset using safe defaults if invalid.
  • Using strict URI scheme validation for URLs in emoticons or other options.
  • Sanitizing all inserted parameters and generated HTML to prevent injection of malicious content.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25581. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart