CVE Catalog

CVE-2026-47760

High
Published: Translated: NVD NIST

Summary

TinyMCE is an open source rich text editor that from versions 6.8.0 to before 7.1.0 contains an XSS vulnerability due to improper SVG namespace scope handling in the sanitizer. A crafted payload using nested elements can bypass attribute sanitization and execute arbitrary JavaScript.

Risk Assessment

This vulnerability may allow for the execution of malicious JavaScript code in the user's context, posing risks such as data theft or session hijacking. Organizations should be aware of the potential threats associated with this vulnerability.

Recommendation

It is recommended to update TinyMCE to version 7.1.0 or later to mitigate this vulnerability. Additionally, conducting a security audit of applications using TinyMCE is advisable.

Original NVD description (English source)

TinyMCE is an open source rich text editor. From 6.8.0 to before 7.1.0, TinyMCE contains an XSS vulnerability caused by improper SVG namespace scope handling in the sanitizer. A crafted payload using nested elements can bypass attribute sanitization and execute arbitrary JavaScript. This vulnerability is fixed in 7.1.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS