Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
2Blast Radius
ecosystem impact- 2 npm packages depend on tinymce (2 direct, 0 indirect)
Ecosystem-wide dependent count for version 6.0.0.
DescriptionGitHub Advisory
TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via unsanitized data-mce-* attributes (data-mce-href, data-mce-src, data-mce-style). Allows attackers to inject malicious values that override safe attributes during serialization, bypassing validation. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1.
AnalysisAI
Stored cross-site scripting in TinyMCE rich text editor versions prior to 5.11.1, 7.9.3, and 8.5.1 allows authenticated attackers to inject malicious payloads via unsanitized data-mce-href, data-mce-src, and data-mce-style attributes that override safe attributes during serialization. The scope-changing CVSS 8.7 score reflects that successful exploitation impacts other users viewing the rendered content, and no public exploit identified at time of analysis though the upstream GitHub advisory provides technical detail useful to researchers.
Technical ContextAI
TinyMCE is a widely embedded open-source WYSIWYG rich text editor (cpe:2.3:a:tinymce:tinymce) used in CMS platforms, webmail, ticketing systems, and SaaS applications. The flaw is a CWE-79 Improper Neutralization of Input During Web Page Generation in the serialization layer: TinyMCE uses internal data-mce-* shadow attributes (data-mce-href, data-mce-src, data-mce-style) to preserve original author input alongside sanitized public attributes. Because these shadow attributes were not themselves sanitized, attacker-controlled values are written back over the validated href/src/style during HTML serialization, defeating the editor's built-in XSS filtering.
RemediationAI
Vendor-released patch: upgrade TinyMCE to 5.11.1, 7.9.3, or 8.5.1 depending on the deployment's major branch, per the GitHub Security Advisory at https://github.com/tinymce/tinymce/security/advisories/GHSA-q742-qvgc-gc2f and the 7.9.3 and 8.5.1 release notes at tiny.cloud. Where immediate upgrade is not feasible, apply a server-side HTML sanitizer such as DOMPurify on stored editor output before rendering and explicitly strip or disallow data-mce-href, data-mce-src, and data-mce-style attributes - the trade-off is that round-tripping content back into the editor may lose formatting fidelity that those shadow attributes preserve. A strict Content-Security-Policy that forbids inline event handlers and unsafe-inline scripts reduces the impact of any residual injection but does not block style-based or javascript: URL vectors on its own. Restrict editor access to trusted authenticated users where business context allows, given exploitation requires PR:L.
TinyMCE versions before 5.6.0 are affected by a stored cross-site scripting vulnerability. Rated medium severity (CVSS 6
TinyMCE versions before 5.10.0 are affected by a cross-site scripting vulnerability. Rated medium severity (CVSS 6.1), t
TinyMCE versions before 5.9.0 are affected by a stored cross-site scripting vulnerability. Rated medium severity (CVSS 6
TinyMCE before 4.9.7 and 5.x before 5.1.4 allows XSS in the core parser, the paste plugin, and the visualchars plugin by
tinymce 4.7.11, 4.7.12 is affected by: CWE-79: Improper Neutralization of Input During Web Page Generation. Rated medium
Stored cross-site scripting in TinyMCE rich text editor allows authenticated attackers to inject persistent JavaScript b
Stored cross-site scripting in TinyMCE's media plugin allows authenticated attackers to inject malicious JavaScript via
Stored/reflected cross-site scripting in TinyMCE rich text editor versions 6.8.0 through 7.0.x allows authenticated user
The bbcode plugin in TinyMCE 3.5.8 does not properly enforce the TinyMCE security policy for the (1) encoding directive
TinyMCE is an open source rich text editor. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable
TinyMCE is an open source rich text editor. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable
TinyMCE is an open source rich text editor. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32921
GHSA-q742-qvgc-gc2f