CVE-2026-47761

Summary

TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability in the media plugin. Attackers can inject malicious scripts via crafted data-mce-* attributes, which are executed when content is rendered. Impacts users of TinyMCE with the media plugin enabled. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1.

Affected Software

VendorProductVersion RangeStatus
tinymcetinymce< 5.11.1affected
tinymcetinymce>= 6.0.0, <= 6.8.6affected
tinymcetinymce>= 7.0.0, < 7.9.3affected
tinymcetinymce>= 8.0.0, < 8.5.1affected

Weaknesses

  • CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References