CVE-2026-4186 MEDIUM

CVE-2026-4186: UEditor JSONP Callback controller.php cross site scripting

Vendor N/A

Product UEditor

Weakness CWE-79 · XSS

Published March 15, 2026

Last update March 17, 2026

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

What the vulnerability does

Description

A vulnerability was determined in UEditor up to 1.4.3.2. This issue affects some unknown processing of the file php/controller.php?action=uploadimage of the component JSONP Callback Handler. This manipulation of the argument callback causes cross site scripting. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. This vulnerability only affects products that are no longer supported by the maintainer.

Key dates

Disclosure timeline

March 15, 2026 CVE published

March 17, 2026 Record updated

Identifiers

CVE CVE-2026-4186

CWE CWE-79

CVSS 5.1 / MEDIUM

Affected versions

Vendor N/A

Product UEditor

Affected 1.4.3.0

Vendor N/A

Product UEditor

Affected 1.4.3.1

Vendor N/A

Product UEditor

Affected 1.4.3.2