Moderate severityNVD Advisory· Published Feb 6, 2026· Updated Feb 9, 2026
SCEditor affected by DOM XSS via emoticon URL/HTML injection
CVE-2026-25581
Description
SCEditor is a lightweight WYSIWYG BBCode and XHTML editor. Prior to 3.2.1, if an attacker has the ability control configuration options passed to sceditor.create(), like emoticons, charset, etc. then it's possible for them to trigger an XSS attack due to lack of sanitisation of configuration options. This vulnerability is fixed in 3.2.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sceditornpm | < 3.2.1 | 3.2.1 |
Affected products
2- samclarke/SCEditorv5Range: < 3.2.1
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-25fq-6qgg-qpj8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25581ghsaADVISORY
- github.com/samclarke/SCEditor/commit/5733aed4f0e257cb78e1ba191715fc458cbd473dghsax_refsource_MISCWEB
- github.com/samclarke/SCEditor/security/advisories/GHSA-25fq-6qgg-qpj8ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.