Description
TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via unsanitized data-mce-* attributes (data-mce-href, data-mce-src, data-mce-style). Allows attackers to inject malicious values that override safe attributes during serialization, bypassing validation. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1.
Published: 2026-05-28
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

TinyMCE, a widely used open‑source rich text editor, contains a stored XSS flaw that allows attackers to embed malicious code by injecting data-mce-* attributes (data-mce-href, data-mce-src, data-mce-style). When content is saved, the editor serializes these attributes without proper filtering, allowing an attacker to override safe attributes during rendering. The vulnerability can lead to arbitrary JavaScript execution in the user's browser, exposing session data and enabling further attacks. It is a CWE‑79 weakness.

Affected Systems

The issue affects the tinymce TinyMCE editor. Versions prior to 5.11.1, 7.9.3, and 8.5.1 are vulnerable. No version information beyond the release numbers is available. Organizations deploying any of these affected releases should verify their installation and plan for an upgrade.

Risk and Exploitability

The flaw has a CVSS score of 8.7, indicating severe impact. EPSS data is not available, and the vulnerability is not listed in CISA KEV. The likely attack vector is a web‑based stored XSS; an attacker must inject malicious data-mce-* attributes into content that is later served to other users. Successful exploitation requires write access to the editor content and that the rendered page allows script execution. Because the flaw bypasses input sanitization, it is immediately exploitable if the content is loaded in a browser, making it a high‑risk vulnerability for any application that relies on TinyMCE to handle untrusted input.

Generated by OpenCVE AI on May 28, 2026 at 16:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade TinyMCE to version 5.11.1, 7.9.3, or 8.5.1 or later
  • If an upgrade is not immediately possible, configure TinyMCE to strip or disable data-mce-* attributes during serialization
  • Apply server‑side sanitization to remove or escape data-mce-* attributes before rendering content
  • Review application code to ensure untrusted editor content is not rendered without proper sanitization
  • Monitor incoming editor content for attempts to inject data-mce-* attributes and investigate accordingly

Generated by OpenCVE AI on May 28, 2026 at 16:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Tinymce
Tinymce tinymce
Vendors & Products Tinymce
Tinymce tinymce

Thu, 28 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via unsanitized data-mce-* attributes (data-mce-href, data-mce-src, data-mce-style). Allows attackers to inject malicious values that override safe attributes during serialization, bypassing validation. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1.
Title TinyMCE Cross-Site Scripting (XSS) vulnerability using through data-mce- prefixed src, href, style attributes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Tinymce Tinymce
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T15:20:11.242Z

Reserved: 2026-05-19T22:36:16.881Z

Link: CVE-2026-47759

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-28T16:16:28.070

Modified: 2026-05-28T16:16:28.070

Link: CVE-2026-47759

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T16:45:20Z

Weaknesses