CVE-2026-4186

LOW

UEditor <= 1.4.3.2 - Cross-Site Scripting via JSONP Callback Parameter

Title source: llm

Description

A vulnerability was determined in UEditor up to 1.4.3.2. This issue affects some unknown processing of the file php/controller.php?action=uploadimage of the component JSONP Callback Handler. This manipulation of the argument callback causes cross site scripting. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. This vulnerability only affects products that are no longer supported by the maintainer.

References (4)

Core 4

Core References

Permissions Required, VDB Entry vdb-entry technical-description

https://vuldb.com/?id.351092

Permissions Required, VDB Entry signature permissions-required

https://vuldb.com/?ctiid.351092

Permissions Required, VDB Entry third-party-advisory

https://vuldb.com/?submit.769842

Various Sources exploit

https://magnificent-dill-351.notion.site/JSONP-Injection-in-ueditor-1-4-3-2-317c693918ed80cbb96dc8e1a9f0e8b2

Scores

CVSS v3 3.5

EPSS 0.0024

EPSS Percentile 15.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79 CWE-94

Status published

Products (3)

n/a/UEditor 1.4.3.0

n/a/UEditor 1.4.3.1

n/a/UEditor 1.4.3.2

Published Mar 16, 2026

Tracked Since Mar 16, 2026