Cross-site Scripting (XSS)

SCEditor is vulnerable to Cross-site Scripting XSS. The vulnerability is due to lack of sanitization of user-controlled configuration options passed to sceditor.create, which allows an attacker to inject malicious scripts and execute arbitrary JavaScript in the application context...

CVE-2026-25581

SCEditor is a lightweight WYSIWYG BBCode and XHTML editor. Prior to 3.2.1, if an attacker has the ability control configuration options passed to sceditor.create, like emoticons, charset, etc. then it's possible for them to trigger an XSS attack due to lack of sanitisation of configuration option...

PT-2026-6797

Name of the Vulnerable Software and Affected Versions SCEditor versions prior to 3.2.1 Description SCEditor is a lightweight WYSIWYG BBCode and XHTML editor. A lack of sanitisation of configuration options passed to the sceditor.create function allows an attacker who can control these options—suc...

PT-2026-6845

If an attacker has the ability control configuration options passed to sceditor.create, like emoticons, charset, etc. then it's possible for them to trigger an XSS attack due to lack of sanitisation of configuration options. Proof of concept: js sceditor.createtextarea, emoticons: dropdown: ':':...