Search

Find a vulnerability

Search criteria

    4 vulnerabilities by sceditor

    CVE-2026-25581 (GCVE-0-2026-25581)

    Vulnerability from nvd – Published: 2026-02-06 20:58 – Updated: 2026-02-09 15:27
    VLAI
    Title
    SCEditor affected by DOM XSS via emoticon URL/HTML injection
    Summary
    SCEditor is a lightweight WYSIWYG BBCode and XHTML editor. Prior to 3.2.1, if an attacker has the ability control configuration options passed to sceditor.create(), like emoticons, charset, etc. then it's possible for them to trigger an XSS attack due to lack of sanitisation of configuration options. This vulnerability is fixed in 3.2.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    samclarke SCEditor Affected: < 3.2.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25581",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-09T15:19:24.104172Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-09T15:27:43.193Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SCEditor",
              "vendor": "samclarke",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 3.2.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SCEditor is a lightweight WYSIWYG BBCode and XHTML editor. Prior to 3.2.1, if an attacker has the ability control configuration options passed to sceditor.create(), like emoticons, charset, etc. then it\u0027s possible for them to trigger an XSS attack due to lack of sanitisation of configuration options. This vulnerability is fixed in 3.2.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-06T20:58:02.788Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/samclarke/SCEditor/security/advisories/GHSA-25fq-6qgg-qpj8",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/samclarke/SCEditor/security/advisories/GHSA-25fq-6qgg-qpj8"
            },
            {
              "name": "https://github.com/samclarke/SCEditor/commit/5733aed4f0e257cb78e1ba191715fc458cbd473d",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/samclarke/SCEditor/commit/5733aed4f0e257cb78e1ba191715fc458cbd473d"
            }
          ],
          "source": {
            "advisory": "GHSA-25fq-6qgg-qpj8",
            "discovery": "UNKNOWN"
          },
          "title": "SCEditor affected by DOM XSS via emoticon URL/HTML injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-25581",
        "datePublished": "2026-02-06T20:58:02.788Z",
        "dateReserved": "2026-02-03T01:02:46.715Z",
        "dateUpdated": "2026-02-09T15:27:43.193Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2019-19466 (GCVE-0-2019-19466)

    Vulnerability from nvd – Published: 2019-12-05 16:13 – Updated: 2024-08-05 02:16
    VLAI
    Summary
    SCEditor 2.1.3 allows XSS.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T02:16:47.339Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.sceditor.com/tags/releases/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://edricteo.com/sceditor-xss-vulnerability-in-version-2.1.3/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SCEditor 2.1.3 allows XSS."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-12-05T16:13:38.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.sceditor.com/tags/releases/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://edricteo.com/sceditor-xss-vulnerability-in-version-2.1.3/"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2019-19466",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "SCEditor 2.1.3 allows XSS."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.sceditor.com/tags/releases/",
                  "refsource": "MISC",
                  "url": "https://www.sceditor.com/tags/releases/"
                },
                {
                  "name": "https://edricteo.com/sceditor-xss-vulnerability-in-version-2.1.3/",
                  "refsource": "MISC",
                  "url": "https://edricteo.com/sceditor-xss-vulnerability-in-version-2.1.3/"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2019-19466",
        "datePublished": "2019-12-05T16:13:38.000Z",
        "dateReserved": "2019-11-30T00:00:00.000Z",
        "dateUpdated": "2024-08-05T02:16:47.339Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-25581 (GCVE-0-2026-25581)

    Vulnerability from cvelistv5 – Published: 2026-02-06 20:58 – Updated: 2026-02-09 15:27
    VLAI
    Title
    SCEditor affected by DOM XSS via emoticon URL/HTML injection
    Summary
    SCEditor is a lightweight WYSIWYG BBCode and XHTML editor. Prior to 3.2.1, if an attacker has the ability control configuration options passed to sceditor.create(), like emoticons, charset, etc. then it's possible for them to trigger an XSS attack due to lack of sanitisation of configuration options. This vulnerability is fixed in 3.2.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    samclarke SCEditor Affected: < 3.2.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25581",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-09T15:19:24.104172Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-09T15:27:43.193Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SCEditor",
              "vendor": "samclarke",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 3.2.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SCEditor is a lightweight WYSIWYG BBCode and XHTML editor. Prior to 3.2.1, if an attacker has the ability control configuration options passed to sceditor.create(), like emoticons, charset, etc. then it\u0027s possible for them to trigger an XSS attack due to lack of sanitisation of configuration options. This vulnerability is fixed in 3.2.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-06T20:58:02.788Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/samclarke/SCEditor/security/advisories/GHSA-25fq-6qgg-qpj8",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/samclarke/SCEditor/security/advisories/GHSA-25fq-6qgg-qpj8"
            },
            {
              "name": "https://github.com/samclarke/SCEditor/commit/5733aed4f0e257cb78e1ba191715fc458cbd473d",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/samclarke/SCEditor/commit/5733aed4f0e257cb78e1ba191715fc458cbd473d"
            }
          ],
          "source": {
            "advisory": "GHSA-25fq-6qgg-qpj8",
            "discovery": "UNKNOWN"
          },
          "title": "SCEditor affected by DOM XSS via emoticon URL/HTML injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-25581",
        "datePublished": "2026-02-06T20:58:02.788Z",
        "dateReserved": "2026-02-03T01:02:46.715Z",
        "dateUpdated": "2026-02-09T15:27:43.193Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2019-19466 (GCVE-0-2019-19466)

    Vulnerability from cvelistv5 – Published: 2019-12-05 16:13 – Updated: 2024-08-05 02:16
    VLAI
    Summary
    SCEditor 2.1.3 allows XSS.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T02:16:47.339Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.sceditor.com/tags/releases/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://edricteo.com/sceditor-xss-vulnerability-in-version-2.1.3/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SCEditor 2.1.3 allows XSS."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-12-05T16:13:38.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.sceditor.com/tags/releases/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://edricteo.com/sceditor-xss-vulnerability-in-version-2.1.3/"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2019-19466",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "SCEditor 2.1.3 allows XSS."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.sceditor.com/tags/releases/",
                  "refsource": "MISC",
                  "url": "https://www.sceditor.com/tags/releases/"
                },
                {
                  "name": "https://edricteo.com/sceditor-xss-vulnerability-in-version-2.1.3/",
                  "refsource": "MISC",
                  "url": "https://edricteo.com/sceditor-xss-vulnerability-in-version-2.1.3/"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2019-19466",
        "datePublished": "2019-12-05T16:13:38.000Z",
        "dateReserved": "2019-11-30T00:00:00.000Z",
        "dateUpdated": "2024-08-05T02:16:47.339Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }