Description
TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability in the media plugin. Attackers can inject malicious scripts via crafted data-mce-* attributes, which are executed when content is rendered. Impacts users of TinyMCE with the media plugin enabled. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1.
Published: 2026-05-28
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

TinyMCE, a widely used open‑source rich‑text editor, contains a stored Cross‑Site Scripting flaw in its media plugin before specific releases. By embedding malicious scripts through carefully crafted data‑mce‑* attributes, an attacker can cause arbitrary JavaScript to run whenever a page that loads the affected editor renders the content. This permits hijacking of user sessions, theft of credentials, or other client‑side compromise.

Affected Systems

The vulnerability affects all releases of TinyMCE older than 5.11.1, 7.9.3, and 8.5.1. Users who deploy the media plugin and allow content to be stored in the editor are susceptible. Any deployment, whether self‑hosted or via Tiny Cloud, is potentially impacted until the editor is upgraded to a fixed version.

Risk and Exploitability

The flaw scores a CVSS v3.1 of 8.7, indicating high severity. EPSS data is unavailable, and the issue is not listed in the CISA KEV catalog. A stored XSS attack requires the attacker to supply content that is stored and later rendered; typical attack paths include uploading a media item or posting edited content through the editor. Once embedded, the malicious script runs automatically for any user who views the stored data, making the exploit relatively trivial for those who can inject the payload.

Generated by OpenCVE AI on May 28, 2026 at 16:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to TinyMCE 5.11.1, 7.9.3, 8.5.1 or newer versions.
  • If immediate upgrade is not feasible, disable the media plugin or configure the editor to strip any data‑mce‑* attributes from stored content.
  • Validate or sanitize incoming content on the server side to reject dangerous data‑mce‑* attributes before persistence.
  • Monitor logs for attempts to inject malformed content with data‑mce‑* attributes.

Generated by OpenCVE AI on May 28, 2026 at 16:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vg35-5wq7-3x7w TinyMCE Cross-Site Scripting (XSS) vulnerability using media plugin `data-mce-object` injection
History

Thu, 28 May 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Tiny
Tiny tinymce
CPEs cpe:2.3:a:tiny:tinymce:*:*:*:*:*:*:*:*
Vendors & Products Tiny
Tiny tinymce

Thu, 28 May 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Tinymce
Tinymce tinymce
Vendors & Products Tinymce
Tinymce tinymce

Thu, 28 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability in the media plugin. Attackers can inject malicious scripts via crafted data-mce-* attributes, which are executed when content is rendered. Impacts users of TinyMCE with the media plugin enabled. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1.
Title TinyMCE Cross-Site Scripting (XSS) vulnerability using media plugin `data-mce-object` injection
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Tiny Tinymce
Tinymce Tinymce
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T15:26:49.455Z

Reserved: 2026-05-19T22:36:16.881Z

Link: CVE-2026-47761

cve-icon Vulnrichment

Updated: 2026-05-28T15:26:46.243Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T16:16:28.337

Modified: 2026-05-28T19:18:37.370

Link: CVE-2026-47761

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T16:45:20Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')