CVE-2026-47762

Summary

TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via forged mce:protected comments. Allows attackers to bypass sanitization and inject scripts that execute when content is restored. Impacts users who utilize the protect option. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1.

Affected Software

VendorProductVersion RangeStatus
tinymcetinymce< 5.11.1affected
tinymcetinymce>= 6.0.0, <= 6.8.6affected
tinymcetinymce>= 7.0.0, < 7.9.3affected
tinymcetinymce>= 8.0.0, < 8.5.1affected

Weaknesses

  • CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References