CVE-2026-47759

Published May 28th, 2026

View on NVD ↗

CVSS v3

8.7

HIGH

CVSS v2

N/A

Affected

PROJECT

Description

TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via unsanitized data-mce-* attributes (data-mce-href, data-mce-src, data-mce-style). Allows attackers to inject malicious values that override safe attributes during serialization, bypassing validation. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1.

tinymce/tinymce

The world's #1 JavaScript library for rich text editing. Available for React, Vue and Angular

GitHub

16.2K