Description
TinyMCE is an open source rich text editor. From 6.8.0 to before 7.1.0, TinyMCE contains an XSS vulnerability caused by improper SVG namespace scope handling in the sanitizer. A crafted payload using nested elements can bypass attribute sanitization and execute arbitrary JavaScript. This vulnerability is fixed in 7.1.0.
Published: 2026-05-28
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

TinyMCE, an open‑source rich text editor, is affected by a Cross‑Site Scripting flaw that arises from improper handling of the SVG namespace scope during sanitization. A crafted payload that nests SVG elements can bypass attribute sanitization and cause the editor to execute arbitrary JavaScript when the content is rendered in a browser. The vulnerability is present in releases between 6.8.0 and just before 7.1.0 and has been fixed in 7.1.0.

Affected Systems

Any installation of TinyMCE with a version from 6.8.0 up to, but not including, 7.1.0 is vulnerable. The affected releases belong to the tinymce vendor of the open‑source rich‑text editor.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity. EPSS is not available, and the vulnerability is not listed in CISA’s KEV catalog. An attacker can exploit the flaw by injecting malicious content into any editable field that uses TinyMCE, for example via user‑submitted posts or API data that is rendered in the editor. When the injected content is displayed, the JavaScript runs in the victim’s browser, giving the attacker the privileges of the viewer.

Generated by OpenCVE AI on May 28, 2026 at 16:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade TinyMCE to version 7.1.0 or newer, which contains the sanitization fix.
  • If an immediate upgrade is not feasible, disable SVG support or remove the SVG plugin from the editor configuration, preventing the problematic elements from being processed.
  • Add an external sanitization step that removes all SVG tags and namespace attributes before the content reaches TinyMCE.

Generated by OpenCVE AI on May 28, 2026 at 16:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Tinymce
Tinymce tinymce
Vendors & Products Tinymce
Tinymce tinymce

Thu, 28 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description TinyMCE is an open source rich text editor. From 6.8.0 to before 7.1.0, TinyMCE contains an XSS vulnerability caused by improper SVG namespace scope handling in the sanitizer. A crafted payload using nested elements can bypass attribute sanitization and execute arbitrary JavaScript. This vulnerability is fixed in 7.1.0.
Title TinyMCE Cross-Site Scripting (XSS) vulnerability using sanitization bypass through nested SVGs
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Tinymce Tinymce
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T15:18:22.509Z

Reserved: 2026-05-19T22:36:16.881Z

Link: CVE-2026-47760

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-28T16:16:28.210

Modified: 2026-05-28T16:16:28.210

Link: CVE-2026-47760

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T17:00:13Z

Weaknesses