CVE-2026-4186
Cross-Site Scripting in UEditor JSONP Callback Handler
Publication date: 2026-03-16
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ueditor | ueditor | to 1.4.3.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-4186 is a cross-site scripting (XSS) vulnerability found in UEditor versions up to 1.4.3.2, specifically in the JSONP Callback Handler component within the file php/controller.php?action=uploadimage.
The vulnerability arises from improper handling of the callback parameter, which allows an attacker to inject malicious scripts due to insufficient neutralization of user-controllable input before it is included in web page output.
This issue is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and can be exploited remotely with user interaction.
No patches or countermeasures exist since the affected versions are no longer supported, and the vendor did not respond to the disclosure.
How can this vulnerability impact me? :
This vulnerability allows an attacker to perform cross-site scripting (XSS) attacks by injecting malicious scripts through the callback parameter.
Successful exploitation can compromise the integrity of the application, potentially leading to unauthorized script execution in the context of users accessing the vulnerable endpoint.
Since the attack can be initiated remotely and requires user interaction, it can be used to steal session tokens, deface web content, or perform other malicious actions on behalf of the user.
Because no patches or mitigations exist, the recommended action is to replace the affected product with a secure alternative.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the vulnerable endpoint for improper handling of the callback parameter in the URL `php/controller.php?action=uploadimage`. Specifically, sending crafted requests with malicious JavaScript code in the callback parameter and observing if the response reflects the injected script without proper sanitization indicates the presence of the vulnerability.'}, {'type': 'paragraph', 'content': 'A simple detection command using curl could be:'}, {'type': 'list_item', 'content': 'curl -i "http://<target>/php/controller.php?action=uploadimage&callback=alert(1)"'}, {'type': 'paragraph', 'content': 'If the response includes the injected JavaScript code (e.g., alert(1)) executed or reflected in the response, the system is vulnerable to this cross-site scripting issue.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
There are no known patches or countermeasures available for this vulnerability as the affected UEditor versions are no longer supported by the vendor.
Immediate mitigation steps include:
- Replace the vulnerable UEditor component with a maintained and secure alternative.
- If replacement is not immediately possible, implement input validation or sanitization on the callback parameter to prevent injection of malicious scripts.
- Restrict access to the vulnerable endpoint via network controls or web application firewall (WAF) rules to block malicious requests.