CVE Catalog

CVE-2026-47759

High
Published: Translated: NVD NIST

Summary

TinyMCE is an open source rich text editor that prior to versions 5.11.1, 7.9.3, and 8.5.1 had a stored XSS vulnerability via unsanitized data-mce-* attributes. This allows attackers to inject malicious values that can override safe attributes during serialization.

Risk Assessment

Organizations using vulnerable versions of TinyMCE may be exposed to XSS attacks, potentially leading to user data theft or session hijacking. This impacts application security and user trust.

Recommendation

It is recommended to update TinyMCE to versions 5.11.1, 7.9.3, or 8.5.1 to mitigate this vulnerability. Additionally, conducting a security audit of applications using this editor is advisable.

Original NVD description (English source)

TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via unsanitized data-mce-* attributes (data-mce-href, data-mce-src, data-mce-style). Allows attackers to inject malicious values that override safe attributes during serialization, bypassing validation. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS