CVE-2026-25581
Cross-Site Scripting in SCEditor Configuration Options Before
Publication date: 2026-02-06
Last updated on: 2026-02-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sceditor | sceditor | to 3.2.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25581 is a moderate severity DOM-based Cross-Site Scripting (XSS) vulnerability in the SCEditor package versions up to 3.2.0. It occurs because configuration options passed to the sceditor.create() function, such as emoticons and charset, are not properly sanitized. This allows an attacker who can control these configuration options to inject malicious scripts that execute in the context of the editor, leading to XSS attacks.
The vulnerability arises from insufficient validation and sanitization of user-controllable inputs in configuration options, enabling injection of unsafe HTML, CSS, or JavaScript. The issue was fixed in version 3.2.1 by enhancing input sanitization, URI scheme validation, escaping of inserted parameters, and restricting unsafe attributes and URLs.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary JavaScript code in the context of the affected application using SCEditor. This can lead to unauthorized actions such as stealing user credentials, session tokens, or other sensitive information accessible via the browser.
The impact includes limited confidentiality and integrity loss, as the attacker can inject scripts that manipulate or access data within the editor or the surrounding web page. However, there is no impact on availability.
Exploitation requires the attacker to control configuration options passed to the editor and some user interaction, but privileges required are low and the attack complexity is low, making it a realistic threat in vulnerable environments.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves improper sanitization of configuration options passed to the sceditor.create() function, which can lead to XSS attacks if malicious scripts are injected via options like emoticons or charset.'}, {'type': 'paragraph', 'content': 'To detect this vulnerability on your system, you can check the version of SCEditor in use and inspect any configuration options passed to sceditor.create() for unsafe or suspicious values, especially in emoticons or charset settings.'}, {'type': 'paragraph', 'content': 'Since this is a client-side JavaScript library vulnerability, network detection might involve monitoring for suspicious payloads or script injections in web traffic related to SCEditor usage.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect vulnerable versions or unsafe configurations could include:'}, {'type': 'list_item', 'content': 'Use grep or similar tools to find SCEditor version in your codebase: `grep -r "sceditor" ./`'}, {'type': 'list_item', 'content': 'Check package.json or lock files for sceditor version: `grep sceditor package.json package-lock.json yarn.lock`'}, {'type': 'list_item', 'content': 'Search for usage of sceditor.create() and inspect configuration options for unsafe values: `grep -r "sceditor.create" ./`'}, {'type': 'list_item', 'content': 'Monitor web application logs or use browser developer tools to detect injected scripts or unexpected event handlers in emoticon URLs or charset attributes.'}] [2, 1]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade SCEditor to version 3.2.1 or later, where this vulnerability has been fixed by enhancing input sanitization and URI validation.
If upgrading immediately is not possible, ensure that any configuration options passed to sceditor.create(), such as emoticons and charset, are strictly validated and sanitized to prevent injection of malicious scripts.
Avoid allowing untrusted users to control or modify configuration options that affect SCEditor initialization.
Review and implement input sanitization measures similar to those introduced in the fix, including:
- Validating attributes like style and charset using safe defaults if invalid.
- Using strict URI scheme validation for URLs in emoticons or other options.
- Sanitizing all inserted parameters and generated HTML to prevent injection of malicious content.