PT-2026-44388 · Tinymce · Tinymce

He1D3N

+1

·

Published

2026-05-28

·

Updated

2026-06-10

·

CVE-2026-47759

CVSS v3.1

8.7

High

VectorAV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions TinyMCE versions prior to 5.11.1 TinyMCE versions prior to 7.9.3 TinyMCE versions prior to 8.5.1
Description A stored Cross-Site Scripting (XSS) issue exists due to unsanitized data-mce-* attributes, specifically data-mce-href, data-mce-src, and data-mce-style. This allows attackers to inject malicious values that override safe attributes during serialization, effectively bypassing validation.
Recommendations Update to version 5.11.1 LTS or higher. Update to version 7.9.3 or higher. Update to version 8.5.1 or higher.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-47759
GHSA-Q742-QVGC-GC2F

Affected Products

Tinymce