CVE-2026-4186
Awaiting Analysis Awaiting Analysis - Queue
Cross-Site Scripting in UEditor JSONP Callback Handler

Publication date: 2026-03-16

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was determined in UEditor up to 1.4.3.2. This issue affects some unknown processing of the file php/controller.php?action=uploadimage of the component JSONP Callback Handler. This manipulation of the argument callback causes cross site scripting. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. This vulnerability only affects products that are no longer supported by the maintainer.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-16
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4186
EUVD
EUVD-2026-12243
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ueditor ueditor to 1.4.3.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-4186 is a cross-site scripting (XSS) vulnerability found in UEditor versions up to 1.4.3.2, specifically in the JSONP Callback Handler component within the file php/controller.php?action=uploadimage.

The vulnerability arises from improper handling of the callback parameter, which allows an attacker to inject malicious scripts due to insufficient neutralization of user-controllable input before it is included in web page output.

This issue is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and can be exploited remotely with user interaction.

No patches or countermeasures exist since the affected versions are no longer supported, and the vendor did not respond to the disclosure.

Impact Analysis

This vulnerability allows an attacker to perform cross-site scripting (XSS) attacks by injecting malicious scripts through the callback parameter.

Successful exploitation can compromise the integrity of the application, potentially leading to unauthorized script execution in the context of users accessing the vulnerable endpoint.

Since the attack can be initiated remotely and requires user interaction, it can be used to steal session tokens, deface web content, or perform other malicious actions on behalf of the user.

Because no patches or mitigations exist, the recommended action is to replace the affected product with a secure alternative.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the vulnerable endpoint for improper handling of the callback parameter in the URL `php/controller.php?action=uploadimage`. Specifically, sending crafted requests with malicious JavaScript code in the callback parameter and observing if the response reflects the injected script without proper sanitization indicates the presence of the vulnerability.'}, {'type': 'paragraph', 'content': 'A simple detection command using curl could be:'}, {'type': 'list_item', 'content': 'curl -i "http://<target>/php/controller.php?action=uploadimage&callback=alert(1)"'}, {'type': 'paragraph', 'content': 'If the response includes the injected JavaScript code (e.g., alert(1)) executed or reflected in the response, the system is vulnerable to this cross-site scripting issue.'}] [1, 2]

Mitigation Strategies

There are no known patches or countermeasures available for this vulnerability as the affected UEditor versions are no longer supported by the vendor.

Immediate mitigation steps include:

  • Replace the vulnerable UEditor component with a maintained and secure alternative.
  • If replacement is not immediately possible, implement input validation or sanitization on the callback parameter to prevent injection of malicious scripts.
  • Restrict access to the vulnerable endpoint via network controls or web application firewall (WAF) rules to block malicious requests.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4186. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart