Skip to main content

TinyMCE EUVDEUVD-2026-32920

| CVE-2026-47760 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-05-28 GitHub_M GHSA-mh5m-5hw4-5c69
8.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Patch available
May 28, 2026 - 17:01 EUVD
Analysis Generated
May 28, 2026 - 15:51 vuln.today

DescriptionGitHub Advisory

TinyMCE is an open source rich text editor. From 6.8.0 to before 7.1.0, TinyMCE contains an XSS vulnerability caused by improper SVG namespace scope handling in the sanitizer. A crafted payload using nested elements can bypass attribute sanitization and execute arbitrary JavaScript. This vulnerability is fixed in 7.1.0.

AnalysisAI

Stored/reflected cross-site scripting in TinyMCE rich text editor versions 6.8.0 through 7.0.x allows authenticated users to inject and execute arbitrary JavaScript in the context of any application embedding the editor. The flaw stems from improper SVG namespace scope handling in the built-in sanitizer, letting nested-element payloads bypass attribute sanitization. No public exploit identified at time of analysis, but the issue is disclosed via a GitHub security advisory with a CVSS of 8.7 reflecting scope change to the embedding application.

Technical ContextAI

TinyMCE is a widely deployed WYSIWYG editor (cpe:2.3:a:tinymce:tinymce) embedded in CMSes, SaaS dashboards, ticketing systems, and email composers. The vulnerability is a CWE-79 (Improper Neutralization of Input During Web Page Generation) caused by namespace confusion when the sanitizer processes SVG subtrees: SVG allows XML namespaces and foreignObject content where HTML parsing rules differ from the surrounding document, and when nested elements cross these boundaries the attribute allow/deny logic does not re-evaluate scope correctly. As a result, event handler attributes (e.g., onload, onerror) or javascript: URIs on otherwise-stripped elements survive sanitization and are interpreted by the browser when the content is later rendered.

RemediationAI

Vendor-released patch: TinyMCE 7.1.0 - upgrade all embedded instances to 7.1.0 or later as published in the upstream advisory at https://github.com/tinymce/tinymce/security/advisories/GHSA-mh5m-5hw4-5c69. Where an immediate upgrade is not possible, apply a server-side secondary sanitization pass on TinyMCE output using a hardened sanitizer (e.g., DOMPurify with SVG and MathML namespaces locked down) before persisting or rendering content, accepting that this may strip legitimate SVG markup users have authored; alternatively configure TinyMCE's valid_elements / invalid_elements to deny svg, foreignObject, and event-handler attributes, at the cost of losing inline SVG editing. Enforce a strict Content Security Policy (script-src without 'unsafe-inline' and with no permissive nonces echoed into editor output) to blunt the impact of any sanitizer bypass, noting CSP will not prevent same-origin DOM manipulation if inline scripts are otherwise permitted on the page.

CVE-2024-21911 MEDIUM POC
6.1 Jan 03

TinyMCE versions before 5.6.0 are affected by a stored cross-site scripting vulnerability. Rated medium severity (CVSS 6

CVE-2024-21910 MEDIUM POC
6.1 Jan 03

TinyMCE versions before 5.10.0 are affected by a cross-site scripting vulnerability. Rated medium severity (CVSS 6.1), t

CVE-2024-21908 MEDIUM POC
6.1 Jan 03

TinyMCE versions before 5.9.0 are affected by a stored cross-site scripting vulnerability. Rated medium severity (CVSS 6

CVE-2020-17480 MEDIUM POC
6.1 Aug 10

TinyMCE before 4.9.7 and 5.x before 5.1.4 allows XSS in the core parser, the paste plugin, and the visualchars plugin by

CVE-2019-1010091 MEDIUM POC
6.1 Jul 17

tinymce 4.7.11, 4.7.12 is affected by: CWE-79: Improper Neutralization of Input During Web Page Generation. Rated medium

CVE-2026-47762 HIGH
8.7 May 28

Stored cross-site scripting in TinyMCE rich text editor allows authenticated attackers to inject persistent JavaScript b

CVE-2026-47761 HIGH
8.7 May 28

Stored cross-site scripting in TinyMCE's media plugin allows authenticated attackers to inject malicious JavaScript via

CVE-2026-47759 HIGH
8.7 May 28

Stored cross-site scripting in TinyMCE rich text editor versions prior to 5.11.1, 7.9.3, and 8.5.1 allows authenticated

CVE-2012-4230 MEDIUM POC
4.3 Apr 25

The bbcode plugin in TinyMCE 3.5.8 does not properly enforce the TinyMCE security policy for the (1) encoding directive

CVE-2024-29881 MEDIUM
6.1 Mar 26

TinyMCE is an open source rich text editor. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable

CVE-2024-29203 MEDIUM
6.1 Mar 26

TinyMCE is an open source rich text editor. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable

CVE-2023-48219 MEDIUM
6.1 Nov 15

TinyMCE is an open source rich text editor. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable

Share

EUVD-2026-32920 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy