CVE-2026-4186

LOW 3.5

UEditor JSONP Callback controller.php cross site scripting

CVSS Score

3.5

EPSS Score

0.0%

EPSS Percentile

0th

A vulnerability was determined in UEditor up to 1.4.3.2. This issue affects some unknown processing of the file php/controller.php?action=uploadimage of the component JSONP Callback Handler. This manipulation of the argument callback causes cross site scripting. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. This vulnerability only affects products that are no longer supported by the maintainer.

CWE	CWE-79 CWE-94
Vendor	n/a
Product	ueditor
Published	Mar 15, 2026
Last Updated	Mar 17, 2026

Stay Ahead of the Next One

Get instant alerts for n/a ueditor

Be the first to know when new low vulnerabilities affecting n/a ueditor are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

n/a / UEditor

1.4.3.0 1.4.3.1 1.4.3.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

vuldb.com: https://vuldb.com/?id.351092 vuldb.com: https://vuldb.com/?ctiid.351092 vuldb.com: https://vuldb.com/?submit.769842 magnificent-dill-351.notion.site: https://magnificent-dill-351.notion.site/JSONP-Injection-in-ueditor-1-4-3-2-317c693918ed80cbb96dc8e1a9f0e8b2

Credits

🔍 s0l42 (VulDB User) VulDB