Description
TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via forged mce:protected comments. Allows attackers to bypass sanitization and inject scripts that execute when content is restored. Impacts users who utilize the protect option. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1.
Published: 2026-05-28
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

TinyMCE, an open‑source rich‑text editor, contains a stored cross‑site scripting flaw that allows forged mce:protected comments to bypass the editor’s sanitization and inject scripts that execute when the content is restored or displayed (CWE‑79).

Affected Systems

The vulnerability affects all tinymce:tinymce installations with versions earlier than 5.11.1, 7.9.3, or 8.5.1 that enable the protect option for comments.

Risk and Exploitability

The CVSS score of 8.7 classifies the flaw as high severity. The EPSS score is not available, and the vulnerability is not listed in CISA KEV. The attack vector is a stored XSS that requires an attacker to submit or modify content that will later be rendered for users with the protect option enabled. Once the forged comment is inserted, the malicious script will run automatically for any user who views the content, enabling client‑side code execution.

Generated by OpenCVE AI on May 28, 2026 at 16:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade tinymce to v5.11.1, v7.9.3, or v8.5.1 or later.
  • If immediate upgrade is not possible, disable the protect option in the editor configuration to stop the use of mce:protected comments.
  • Apply strict sanitization or a content security policy on pages that render the editor output to prevent execution of injected scripts.
  • Audit stored content for unexpected mce:protected comments and remove or neutralize them.

Generated by OpenCVE AI on May 28, 2026 at 16:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Tinymce
Tinymce tinymce
Vendors & Products Tinymce
Tinymce tinymce

Thu, 28 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via forged mce:protected comments. Allows attackers to bypass sanitization and inject scripts that execute when content is restored. Impacts users who utilize the protect option. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1.
Title TinyMCE Cross-Site Scripting (XSS) vulnerability through `mce:protected` comments
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Tinymce Tinymce
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T15:21:36.882Z

Reserved: 2026-05-19T22:36:16.881Z

Link: CVE-2026-47762

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-28T16:16:28.470

Modified: 2026-05-28T16:16:28.470

Link: CVE-2026-47762

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T17:00:13Z

Weaknesses