TinyMCE Cross-Site Scripting (XSS) vulnerability through `mce:protected` comments_CVE-2026-47762

8.7 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Description

TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via forged mce:protected comments. Allows attackers to bypass sanitization and inject scripts that execute when content is restored. Impacts users who utilize the protect option. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1.

AI Analysis

Stored XSS vulnerability via forged mce:protected comments in TinyMCE rich text editor

Basic Information

ID CVE-2026-47762

Source GitHub_M

Published May 28, 2026 at 15:21

Affected Product

Vendor tinymce

Product tinymce

Version < 5.11.1

Affected Versions tinymce tinymce < 5.11.1
tinymce tinymce >= 6.0.0, <= 6.8.6
tinymce tinymce >= 7.0.0, < 7.9.3
tinymce tinymce >= 8.0.0, < 8.5.1

CWE Classification

CWE-79

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor TinyMCE

Product TinyMCE

Version < 5.11.1, < 7.9.3, < 8.5.1

References

{
    "lastseen": "",
    "description": "TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via forged mce:protected comments. Allows attackers to bypass sanitization and inject scripts that execute when content is restored. Impacts users who utilize the protect option. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1.",
    "published": "2026-05-28T15:21:36.882Z",
    "modified": "2026-05-28T15:21:36.882Z",
    "type": "cve",
    "title": "TinyMCE Cross-Site Scripting (XSS) vulnerability through `mce:protected` comments",
    "source": "GitHub_M",
    "references": "https://github.com/tinymce/tinymce/security/advisories/GHSA-v98h-vmpc-fpqv\nhttps://www.tiny.cloud/docs/tinymce/7/7.9.3-release-notes/#overview\nhttps://www.tiny.cloud/docs/tinymce/8/8.5.1-release-notes/#overview",
    "id": "CVE-2026-47762",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "tinymce tinymce < 5.11.1\ntinymce tinymce >= 6.0.0, <= 6.8.6\ntinymce tinymce >= 7.0.0, < 7.9.3\ntinymce tinymce >= 8.0.0, < 8.5.1",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "tinymce",
    "version": "< 5.11.1",
    "vendor": "tinymce",
    "ai_description": "Stored XSS vulnerability via forged mce:protected comments in TinyMCE rich text editor",
    "ai_severity": "High",
    "ai_vendor": "TinyMCE",
    "ai_product": "TinyMCE",
    "ai_version": "< 5.11.1, < 7.9.3, < 8.5.1",
    "ai_score": 8.7
}