CVE-2026-47759

Summary

TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via unsanitized data-mce-* attributes (data-mce-href, data-mce-src, data-mce-style). Allows attackers to inject malicious values that override safe attributes during serialization, bypassing validation. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1.

Affected Software

VendorProductVersion RangeStatus
tinymcetinymce< 5.11.1affected
tinymcetinymce>= 6.0.0, <= 6.8.6affected
tinymcetinymce>= 7.0.0, < 7.9.3affected
tinymcetinymce>= 8.0.0, < 8.5.1affected

Weaknesses

  • CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References