TinyMCE, a widely used open‑source rich text editor, contains a stored XSS flaw that allows attackers to embed malicious code by injecting data-mce-* attributes (data-mce-href, data-mce-src, data-mce-style). When content is saved, the editor serializes these attributes without proper filtering, allowing an attacker to override safe attributes during rendering. The vulnerability can lead to arbitrary JavaScript execution in the user's browser, exposing session data and enabling further attacks. It is a CWE‑79 weakness.

The issue affects the tinymce TinyMCE editor. Versions prior to 5.11.1, 7.9.3, and 8.5.1 are vulnerable. No version information beyond the release numbers is available. Organizations deploying any of these affected releases should verify their installation and plan for an upgrade.

The flaw has a CVSS score of 8.7, indicating severe impact. EPSS data is not available, and the vulnerability is not listed in CISA KEV. The likely attack vector is a web‑based stored XSS; an attacker must inject malicious data-mce-* attributes into content that is later served to other users. Successful exploitation requires write access to the editor content and that the rendered page allows script execution. Because the flaw bypasses input sanitization, it is immediately exploitable if the content is loaded in a browser, making it a high‑risk vulnerability for any application that relies on TinyMCE to handle untrusted input.