Description
If an attacker has the ability control configuration options passed to sceditor.create(), like emoticons, charset, etc. then it’s possible for them to trigger an XSS attack due to lack of sanitisation of configuration options.
Recommendation
Update the sceditor package to the latest compatible version. Followings are version details:
- Affected version(s): <= 3.2.0
- Patched version(s): 3.2.1
References
Related Issues
- Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html` - CVE-2026-44990
- i18next-locize-backend has URL Injection via Unsanitized Path Parameters - CVE-2026-41885
- Svelte: XSS via HTML Comment Injection in SSR Error Boundary Hydration Markers - CVE-2026-27902
- Apostrophe has stored XSS via javascript: URL in Image Widget Link - CVE-2026-45011
You might also like:
- Tags:
- npm
- sceditor
Anything's wrong? Let us know Last updated on February 06, 2026