CVE-2026-47760
HighSummary
TinyMCE is an open source rich text editor that from versions 6.8.0 to before 7.1.0 contains an XSS vulnerability due to improper SVG namespace scope handling in the sanitizer. A crafted payload using nested elements can bypass attribute sanitization and execute arbitrary JavaScript.
Risk Assessment
This vulnerability may allow for the execution of malicious JavaScript code in the user's context, posing risks such as data theft or session hijacking. Organizations should be aware of the potential threats associated with this vulnerability.
Recommendation
It is recommended to update TinyMCE to version 7.1.0 or later to mitigate this vulnerability. Additionally, conducting a security audit of applications using TinyMCE is advisable.
Original NVD description (English source)
TinyMCE is an open source rich text editor. From 6.8.0 to before 7.1.0, TinyMCE contains an XSS vulnerability caused by improper SVG namespace scope handling in the sanitizer. A crafted payload using nested elements can bypass attribute sanitization and execute arbitrary JavaScript. This vulnerability is fixed in 7.1.0.

