CVE-2026-47759
HighSummary
TinyMCE is an open source rich text editor that prior to versions 5.11.1, 7.9.3, and 8.5.1 had a stored XSS vulnerability via unsanitized data-mce-* attributes. This allows attackers to inject malicious values that can override safe attributes during serialization.
Risk Assessment
Organizations using vulnerable versions of TinyMCE may be exposed to XSS attacks, potentially leading to user data theft or session hijacking. This impacts application security and user trust.
Recommendation
It is recommended to update TinyMCE to versions 5.11.1, 7.9.3, or 8.5.1 to mitigate this vulnerability. Additionally, conducting a security audit of applications using this editor is advisable.
Original NVD description (English source)
TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via unsanitized data-mce-* attributes (data-mce-href, data-mce-src, data-mce-style). Allows attackers to inject malicious values that override safe attributes during serialization, bypassing validation. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1.

