CVE-2026-4186 | UEditor up to 1.4.3.2 JSONP Callback controller.php?action=uploadimage callback cross site scripting

A vulnerability classified as problematic has been found in UEditor up to 1.4.3.2. This issue affects some unknown processing of the file php/controller.php?action=uploadimage of the component JSONP Callback Handler. This manipulation of the argument callback causes cross site scripting. This vulnerability only affects products that are no longer supported by the maintainer.

This vulnerability is handled as CVE-2026-4186. The attack can be initiated remotely. Additionally, an exploit exists.

The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2026-4186 | UEditor up to 1.4.3.2 JSONP Callback controller.php?action=uploadimage callback cross site scripting

Post correlati

CVE-2023-23021 | SourceCodester POS Point Sale System 1.0 Main.php code/name/description cross site scripting

CVE-2025-68047 | Arraytics Eventin Plugin up to 4.1.1 on WordPress deserialization

CVE-2025-10078 | SourceCodester Online Polling System 1.0 /admin/candidates.php ID sql injection

CVE-2024-0110 | NVIDIA CUDA Toolkit up to 12.6 cuobjdump out-of-bounds write