CVE-2026-4186 identifies a cross-site scripting vulnerability in UEditor, an open-source web-based rich text editor, affecting versions 1.4.3.0 through 1.4.3.2. The flaw exists in the JSONP Callback Handler within the php/controller.php script when handling the 'uploadimage' action. Specifically, the 'callback' parameter is not properly sanitized or validated, allowing an attacker to inject arbitrary JavaScript code. This vulnerability can be exploited remotely without authentication, but requires a victim to interact with a crafted URL or page that triggers the malicious callback execution in their browser context. The vulnerability leverages JSONP, a technique that can bypass same-origin policies, making it a potent vector for XSS attacks. The vendor has not responded to disclosure attempts, and no official patches or updates are available since these versions are no longer maintained. The CVSS 4.0 base score is 5.1 (medium), reflecting the moderate impact on confidentiality and integrity with limited availability impact. The attack complexity is low, and user interaction is necessary. While no known exploits in the wild have been reported, the public disclosure increases the risk of exploitation, especially in legacy systems still deploying these UEditor versions.

The primary impact of this vulnerability is the potential for client-side code injection leading to cross-site scripting attacks. Successful exploitation can allow attackers to execute arbitrary JavaScript in the context of the victim's browser, potentially resulting in session hijacking, theft of cookies or credentials, defacement, or redirection to malicious sites. This compromises user confidentiality and integrity but does not directly affect server availability. Organizations using vulnerable UEditor versions in their web applications expose their users to these risks, which can damage reputation, lead to data breaches, and facilitate further attacks such as phishing or malware distribution. Since the affected versions are no longer supported, organizations face increased risk due to the absence of vendor patches. The medium severity score reflects the moderate but significant threat posed, especially for high-traffic or sensitive web applications.

Given the lack of vendor support and patches, organizations should prioritize migrating away from UEditor versions 1.4.3.0 to 1.4.3.2 to actively maintained alternatives or newer, secure versions if available. If migration is not immediately feasible, implement strict input validation and output encoding on the 'callback' parameter to ensure only safe, expected values are accepted. Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of potential XSS payloads. Additionally, consider disabling JSONP functionality if it is not required, or replace JSONP with safer alternatives like CORS. Regularly audit web application code for unsafe parameter handling and educate developers on secure coding practices related to client-side scripting. Monitoring web traffic for suspicious requests targeting the vulnerable endpoint can also help detect attempted exploitation.