CVE-2026-25581

Name of the Vulnerable Software and Affected Versions SCEditor versions prior to 3.2.1

Description SCEditor is a lightweight WYSIWYG BBCode and XHTML editor. A lack of sanitisation of configuration options passed to the sceditor.create() function allows an attacker who can control these options—such as emoticons and charset—to trigger a cross-site scripting (XSS) attack. The issue occurs because configuration options are not properly validated, enabling malicious code injection. A proof of concept demonstrates the exploitation using the emoticons option to inject an onerror event handler.

Recommendations Update to version 3.2.1 or later.