Description
If an attacker has the ability control configuration options passed to sceditor.create(), like emoticons, charset, etc. then it’s possible for them to trigger an XSS attack due to lack of sanitisation of configuration options.
Recommendation
Update the sceditor package to the latest compatible version. Followings are version details:
- Affected version(s): <= 3.2.0
- Patched version(s): 3.2.1
References
Related Issues
- Svelte: XSS via HTML Comment Injection in SSR Error Boundary Hydration Markers - CVE-2026-27902
- Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries - CVE-2026-32728
- jsPDF has HTML Injection in New Window paths - CVE-2026-31938
- jsPDF has a PDF Object Injection via FreeText color - CVE-2026-31898
- Tags:
- npm
- sceditor
Anything's wrong? Let us know Last updated on February 06, 2026