PT-2026-44388 · Tinymce · Tinymce
He1D3N
+1
·
Published
2026-05-28
·
Updated
2026-06-10
·
CVE-2026-47759
CVSS v3.1
8.7
High
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
TinyMCE versions prior to 5.11.1
TinyMCE versions prior to 7.9.3
TinyMCE versions prior to 8.5.1
Description
A stored Cross-Site Scripting (XSS) issue exists due to unsanitized
data-mce-* attributes, specifically data-mce-href, data-mce-src, and data-mce-style. This allows attackers to inject malicious values that override safe attributes during serialization, effectively bypassing validation.Recommendations
Update to version 5.11.1 LTS or higher.
Update to version 7.9.3 or higher.
Update to version 8.5.1 or higher.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Tinymce