TinyMCE Cross-Site Scripting (XSS) vulnerability using through data-mce- prefixed src,...

8.7 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Description

TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via unsanitized data-mce-* attributes (data-mce-href, data-mce-src, data-mce-style). Allows attackers to inject malicious values that override safe attributes during serialization, bypassing validation. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1.

AI Analysis

Stored XSS vulnerability via unsanitized data-mce-* attributes

Basic Information

ID CVE-2026-47759

Source GitHub_M

Published May 28, 2026 at 15:20

Affected Product

Vendor tinymce

Product tinymce

Version < 5.11.1

Affected Versions tinymce tinymce < 5.11.1
tinymce tinymce >= 6.0.0, <= 6.8.6
tinymce tinymce >= 7.0.0, < 7.9.3
tinymce tinymce >= 8.0.0, < 8.5.1

CWE Classification

CWE-79

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor TinyMCE

Product TinyMCE

Version < 5.11.1, < 7.9.3, < 8.5.1

References

{
    "lastseen": "",
    "description": "TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via unsanitized data-mce-* attributes (data-mce-href, data-mce-src, data-mce-style). Allows attackers to inject malicious values that override safe attributes during serialization, bypassing validation. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1.",
    "published": "2026-05-28T15:20:11.242Z",
    "modified": "2026-05-28T15:20:11.242Z",
    "type": "cve",
    "title": "TinyMCE Cross-Site Scripting (XSS) vulnerability using through data-mce- prefixed src, href, style attributes",
    "source": "GitHub_M",
    "references": "https://github.com/tinymce/tinymce/security/advisories/GHSA-q742-qvgc-gc2f\nhttps://www.tiny.cloud/docs/tinymce/7/7.9.3-release-notes/#overview\nhttps://www.tiny.cloud/docs/tinymce/8/8.5.1-release-notes/#overview",
    "id": "CVE-2026-47759",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "tinymce tinymce < 5.11.1\ntinymce tinymce >= 6.0.0, <= 6.8.6\ntinymce tinymce >= 7.0.0, < 7.9.3\ntinymce tinymce >= 8.0.0, < 8.5.1",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "tinymce",
    "version": "< 5.11.1",
    "vendor": "tinymce",
    "ai_description": "Stored XSS vulnerability via unsanitized data-mce-* attributes",
    "ai_severity": "High",
    "ai_vendor": "TinyMCE",
    "ai_product": "TinyMCE",
    "ai_version": "< 5.11.1, < 7.9.3, < 8.5.1",
    "ai_score": 8.7
}

TinyMCE Cross-Site Scripting (XSS) vulnerability using through data-mce- prefixed src, href, style attributes_CVE-2026-47759