37 matches found
Cross-site Scripting (XSS)
SCEditor is vulnerable to Cross-site Scripting XSS. The vulnerability is due to lack of sanitization of user-controlled configuration options passed to sceditor.create, which allows an attacker to inject malicious scripts and execute arbitrary JavaScript in the application context...
CVE-2026-25581
SCEditor is a lightweight WYSIWYG BBCode and XHTML editor. Prior to 3.2.1, if an attacker has the ability control configuration options passed to sceditor.create, like emoticons, charset, etc. then it's possible for them to trigger an XSS attack due to lack of sanitisation of configuration option...
CVE-2026-25581
SCEditor is a lightweight WYSIWYG BBCode and XHTML editor. Prior to 3.2.1, if an attacker has the ability control configuration options passed to sceditor.create, like emoticons, charset, etc. then it's possible for them to trigger an XSS attack due to lack of sanitisation of configuration option...
EUVD-2026-5575
SCEditor is a lightweight WYSIWYG BBCode and XHTML editor. Prior to 3.2.1, if an attacker has the ability control configuration options passed to sceditor.create, like emoticons, charset, etc. then it's possible for them to trigger an XSS attack due to lack of sanitisation of configuration option...
CVE-2026-25581
SCEditor is a lightweight WYSIWYG BBCode and XHTML editor. Prior to 3.2.1, if an attacker has the ability control configuration options passed to sceditor.create, like emoticons, charset, etc. then it's possible for them to trigger an XSS attack due to lack of sanitisation of configuration option...
CVE-2026-25581 SCEditor affected by DOM XSS via emoticon URL/HTML injection
SCEditor is a lightweight WYSIWYG BBCode and XHTML editor. Prior to 3.2.1, if an attacker has the ability control configuration options passed to sceditor.create, like emoticons, charset, etc. then it's possible for them to trigger an XSS attack due to lack of sanitisation of configuration option...
CVE-2026-25581 SCEditor affected by DOM XSS via emoticon URL/HTML injection
SCEditor is a lightweight WYSIWYG BBCode and XHTML editor. Prior to 3.2.1, if an attacker has the ability control configuration options passed to sceditor.create, like emoticons, charset, etc. then it's possible for them to trigger an XSS attack due to lack of sanitisation of configuration option...
CVE-2026-25581 SCEditor affected by DOM XSS via emoticon URL/HTML injection
SCEditor is a lightweight WYSIWYG BBCode and XHTML editor. Prior to 3.2.1, if an attacker has the ability control configuration options passed to sceditor.create, like emoticons, charset, etc. then it's possible for them to trigger an XSS attack due to lack of sanitisation of configuration option...
CVE-2026-25581
SCEditor has a DOM XSS vulnerability pre-3.2.1 when configuration options passed to sceditor.create() (e.g., emoticons, charset) are not sanitised. An attacker who can control these options can inject malicious payloads, as demonstrated by the provided PoC where an onerror handler is injected via...
@es-joy/jsoe (>=0.0.1 <=0.16.0) potentially affected by CVE-2026-25581 via sceditor (=3.2.0)
sceditor NPM version =3.2.0 is affected by a known vulnerability. The following packages have a transitive dependency on sceditor and may be impacted: - @es-joy/jsoe =0.0.1, =0.16.0 Source cves: CVE-2026-25581 Source advisory: SNYK:JS-SCEDITOR-15248349...
SCEditor has DOM XSS via emoticon URL/HTML injection
If an attacker has the ability control configuration options passed to sceditor.create, like emoticons, charset, etc. then it's possible for them to trigger an XSS attack due to lack of sanitisation of configuration options. Proof of concept: js sceditor.createtextarea, emoticons: dropdown: ':':...
Cross-site Scripting (XSS)
Overview sceditor is a lightweight WYSIWYG BBCode and XHTML editor. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the sceditor.create process. An attacker can execute arbitrary scripts in the context of the user's browser by injecting malicious configuration...
GHSA-25FQ-6QGG-QPJ8 SCEditor has DOM XSS via emoticon URL/HTML injection
If an attacker has the ability control configuration options passed to sceditor.create, like emoticons, charset, etc. then it's possible for them to trigger an XSS attack due to lack of sanitisation of configuration options. Proof of concept: js sceditor.createtextarea, emoticons: dropdown: ':':...
Cross-site Scripting (XSS)
Overview org.webjars.npm:sceditor is a lightweight WYSIWYG BBCode and XHTML editor. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the sceditor.create process. An attacker can execute arbitrary scripts in the context of the user's browser by injecting malicious...
CVE-2026-25581
creationtimestamp| type| source ---|---|--- 2026-02-06 02:23:54+00:00| published-proof-of-concept| https://github.com/samclarke/SCEditor/security/advisories/GHSA-25fq-6qgg-qpj8...
SCEditor 跨站脚本漏洞
SCEditor is a visual editor developed by Sam Personal Developer. Versions of SCEditor prior to 3.2.1 contained a cross-site scripting vulnerability. This vulnerability stemmed from insufficient cleanup of configuration options passed to sceditor.create, which could lead to cross-site scripting...
PT-2026-6797
Name of the Vulnerable Software and Affected Versions SCEditor versions prior to 3.2.1 Description SCEditor is a lightweight WYSIWYG BBCode and XHTML editor. A lack of sanitisation of configuration options passed to the sceditor.create function allows an attacker who can control these options—suc...
PT-2026-6845
If an attacker has the ability control configuration options passed to sceditor.create, like emoticons, charset, etc. then it's possible for them to trigger an XSS attack due to lack of sanitisation of configuration options. Proof of concept: js sceditor.createtextarea, emoticons: dropdown: ':':...
EUVD-2019-9086
Malware in sbrugna...
CVE-2019-19466
SCEditor 2.1.3 allows XSS...