Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
2Blast Radius
ecosystem impact- 2 npm packages depend on tinymce (2 direct, 0 indirect)
Ecosystem-wide dependent count for version 6.0.0.
DescriptionGitHub Advisory
TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability in the media plugin. Attackers can inject malicious scripts via crafted data-mce-* attributes, which are executed when content is rendered. Impacts users of TinyMCE with the media plugin enabled. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1.
AnalysisAI
Stored cross-site scripting in TinyMCE's media plugin allows authenticated attackers to inject malicious JavaScript via crafted data-mce-* attributes that execute in victim browsers when the rendered content is viewed. Affects TinyMCE versions prior to 5.11.1, 7.9.3, and 8.5.1 where the media plugin is enabled, with no public exploit identified at time of analysis despite a high CVSS score of 8.7 driven by scope change and confidentiality/integrity impact.
Technical ContextAI
TinyMCE is a widely deployed open-source WYSIWYG rich text editor embedded in CMS platforms, web applications, and SaaS products to allow end users to author HTML content. The vulnerability resides in the media plugin, which handles embedded multimedia objects (video, audio, iframes) and relies on data-mce-* attributes to preserve editor-internal state across save/load cycles. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation): the plugin fails to sanitize attacker-controlled values placed into data-mce-* attributes, allowing script payloads to survive serialization and fire when content is rendered downstream. The affected CPE is cpe:2.3:a:tinymce:tinymce:*:*:*:*:*:*:*:*, covering all TinyMCE distributions integrated into host applications.
RemediationAI
Vendor-released patches are available: upgrade TinyMCE to 5.11.1, 7.9.3, or 8.5.1 (or later) depending on your major-version line, per the GitHub advisory at https://github.com/tinymce/tinymce/security/advisories/GHSA-vg35-5wq7-3x7w and the release notes at https://www.tiny.cloud/docs/tinymce/7/7.9.3-release-notes/#overview and https://www.tiny.cloud/docs/tinymce/8/8.5.1-release-notes/#overview. If immediate upgrade is not possible, disable the media plugin in your TinyMCE configuration (remove 'media' from the plugins list) - the trade-off is loss of in-editor video/audio embedding for authors. As a defense-in-depth measure, enforce a strict Content Security Policy on pages rendering TinyMCE output to block inline script execution, and restrict editor access to trusted users only since exploitation requires authenticated content authoring.
TinyMCE versions before 5.6.0 are affected by a stored cross-site scripting vulnerability. Rated medium severity (CVSS 6
TinyMCE versions before 5.10.0 are affected by a cross-site scripting vulnerability. Rated medium severity (CVSS 6.1), t
TinyMCE versions before 5.9.0 are affected by a stored cross-site scripting vulnerability. Rated medium severity (CVSS 6
TinyMCE before 4.9.7 and 5.x before 5.1.4 allows XSS in the core parser, the paste plugin, and the visualchars plugin by
tinymce 4.7.11, 4.7.12 is affected by: CWE-79: Improper Neutralization of Input During Web Page Generation. Rated medium
Stored cross-site scripting in TinyMCE rich text editor allows authenticated attackers to inject persistent JavaScript b
Stored cross-site scripting in TinyMCE rich text editor versions prior to 5.11.1, 7.9.3, and 8.5.1 allows authenticated
Stored/reflected cross-site scripting in TinyMCE rich text editor versions 6.8.0 through 7.0.x allows authenticated user
The bbcode plugin in TinyMCE 3.5.8 does not properly enforce the TinyMCE security policy for the (1) encoding directive
TinyMCE is an open source rich text editor. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable
TinyMCE is an open source rich text editor. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable
TinyMCE is an open source rich text editor. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32922
GHSA-vg35-5wq7-3x7w