CVE-2026-47761

Published May 28th, 2026

View on NVD ↗

CVSS v3

8.7

HIGH

CVSS v2

N/A

Affected

PROJECT

Description

TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability in the media plugin. Attackers can inject malicious scripts via crafted data-mce-* attributes, which are executed when content is rendered. Impacts users of TinyMCE with the media plugin enabled. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1.

tinymce/tinymce

The world's #1 JavaScript library for rich text editing. Available for React, Vue and Angular

GitHub

16.2K