CVE Catalog

CVE-2026-47761

High
Published: Translated: NVD NIST

Summary

TinyMCE is an open source rich text editor that prior to versions 5.11.1, 7.9.3, and 8.5.1 had a stored XSS vulnerability in the media plugin. Attackers could inject malicious scripts via crafted data-mce-* attributes, which were executed when content was rendered.

Risk Assessment

This vulnerability could lead to the execution of malicious code in the context of users using TinyMCE with the media plugin enabled, posing a serious threat to data security.

Recommendation

It is recommended to update TinyMCE to versions 5.11.1, 7.9.3, or 8.5.1 to mitigate this vulnerability.

Original NVD description (English source)

TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability in the media plugin. Attackers can inject malicious scripts via crafted data-mce-* attributes, which are executed when content is rendered. Impacts users of TinyMCE with the media plugin enabled. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS