CVE-2026-47762
8.7
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Summary
TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via forged mce:protected comments. Allows attackers to bypass sanitization and inject scripts that execute when content is restored. Impacts users who utilize the protect option. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| tinymce | tinymce | < 5.11.1 | affected |
| tinymce | tinymce | >= 6.0.0, <= 6.8.6 | affected |
| tinymce | tinymce | >= 7.0.0, < 7.9.3 | affected |
| tinymce | tinymce | >= 8.0.0, < 8.5.1 | affected |
Weaknesses
- CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://github.com/tinymce/tinymce/security/advisories/GHSA-v98h-vmpc-fpqv
- https://www.tiny.cloud/docs/tinymce/7/7.9.3-release-notes/#overview
- https://www.tiny.cloud/docs/tinymce/8/8.5.1-release-notes/#overview
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.