CVE-2026-47762
HighSummary
TinyMCE is an open source rich text editor that prior to versions 5.11.1, 7.9.3, and 8.5.1 had a stored XSS vulnerability via forged mce:protected comments. This allows attackers to bypass sanitization and inject scripts that execute when content is restored.
Risk Assessment
This vulnerability impacts users utilizing the protect option, potentially leading to unauthorized code execution in the user's browser context.
Recommendation
It is recommended to update TinyMCE to versions 5.11.1, 7.9.3, or 8.5.1 to mitigate this vulnerability.
Original NVD description (English source)
TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via forged mce:protected comments. Allows attackers to bypass sanitization and inject scripts that execute when content is restored. Impacts users who utilize the protect option. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1.

