Skip to main content

TinyMCE EUVDEUVD-2026-32923

| CVE-2026-47762 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-05-28 GitHub_M GHSA-v98h-vmpc-fpqv
8.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Patch available
May 28, 2026 - 17:01 EUVD
Analysis Generated
May 28, 2026 - 15:50 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 2 npm packages depend on tinymce (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 6.0.0.

DescriptionGitHub Advisory

TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via forged mce:protected comments. Allows attackers to bypass sanitization and inject scripts that execute when content is restored. Impacts users who utilize the protect option. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1.

AnalysisAI

Stored cross-site scripting in TinyMCE rich text editor allows authenticated attackers to inject persistent JavaScript by forging mce:protected comments that bypass the editor's sanitization layer. Affected deployments are those using the protect configuration option in versions prior to 5.11.1, 7.9.3, and 8.5.1, where malicious scripts execute when previously stored content is restored into the editor context. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the CVSS 8.7 (scope-changed) rating reflects high confidentiality and integrity impact against the user's browser session.

Technical ContextAI

TinyMCE is a widely embedded open source WYSIWYG/rich text editor (CPE cpe:2.3:a:tinymce:tinymce) used in CMS platforms, ticketing systems, and SaaS dashboards. The vulnerability is a CWE-79 (Improper Neutralization of Input During Web Page Generation) flaw rooted in how TinyMCE handles mce:protected comment nodes - a special internal marker used by the 'protect' option to preserve fragments of content (typically server-side templating syntax like PHP or ASP tags) from being mangled by the editor's HTML sanitization. By crafting input that forges this protected-comment wrapper, an attacker can smuggle script content past the sanitizer; the payload is rehydrated and executed when the editor later restores the content into the DOM. The bug is fixed in the 5.11.1, 7.9.3, and 8.5.1 release lines per the GHSA-v98h-vmpc-fpqv advisory.

RemediationAI

Vendor-released patch: upgrade TinyMCE to 5.11.1, 7.9.3, or 8.5.1 (or later) on the corresponding major-version line, as documented in the GHSA-v98h-vmpc-fpqv advisory and the 7.9.3 and 8.5.1 release notes linked above. If immediate upgrade is not possible, disable the 'protect' configuration option in the TinyMCE initialization - note the trade-off that any server-side templating syntax (PHP, ASP, JSP tags) previously shielded by protect will then be subject to the editor's normal HTML processing and may be altered or stripped. As an additional compensating control, enforce a strict Content-Security-Policy that disallows inline script and unsafe-eval on pages that render user-authored TinyMCE content, which limits payload execution at the cost of breaking any legitimate inline scripts in the same documents; and review server-side output sanitization (e.g., DOMPurify on render) to defense-in-depth filter mce:protected comment markers before content is restored.

CVE-2024-21911 MEDIUM POC
6.1 Jan 03

TinyMCE versions before 5.6.0 are affected by a stored cross-site scripting vulnerability. Rated medium severity (CVSS 6

CVE-2024-21910 MEDIUM POC
6.1 Jan 03

TinyMCE versions before 5.10.0 are affected by a cross-site scripting vulnerability. Rated medium severity (CVSS 6.1), t

CVE-2024-21908 MEDIUM POC
6.1 Jan 03

TinyMCE versions before 5.9.0 are affected by a stored cross-site scripting vulnerability. Rated medium severity (CVSS 6

CVE-2020-17480 MEDIUM POC
6.1 Aug 10

TinyMCE before 4.9.7 and 5.x before 5.1.4 allows XSS in the core parser, the paste plugin, and the visualchars plugin by

CVE-2019-1010091 MEDIUM POC
6.1 Jul 17

tinymce 4.7.11, 4.7.12 is affected by: CWE-79: Improper Neutralization of Input During Web Page Generation. Rated medium

CVE-2026-47761 HIGH
8.7 May 28

Stored cross-site scripting in TinyMCE's media plugin allows authenticated attackers to inject malicious JavaScript via

CVE-2026-47759 HIGH
8.7 May 28

Stored cross-site scripting in TinyMCE rich text editor versions prior to 5.11.1, 7.9.3, and 8.5.1 allows authenticated

CVE-2026-47760 HIGH
8.7 May 28

Stored/reflected cross-site scripting in TinyMCE rich text editor versions 6.8.0 through 7.0.x allows authenticated user

CVE-2012-4230 MEDIUM POC
4.3 Apr 25

The bbcode plugin in TinyMCE 3.5.8 does not properly enforce the TinyMCE security policy for the (1) encoding directive

CVE-2024-29881 MEDIUM
6.1 Mar 26

TinyMCE is an open source rich text editor. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable

CVE-2024-29203 MEDIUM
6.1 Mar 26

TinyMCE is an open source rich text editor. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable

CVE-2023-48219 MEDIUM
6.1 Nov 15

TinyMCE is an open source rich text editor. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable

Share

EUVD-2026-32923 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy