PT-2026-44391 · Tinymce · Tinymce

He1D3N

·

Published

2026-05-28

·

Updated

2026-06-10

·

CVE-2026-47762

CVSS v3.1

8.7

High

VectorAV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions TinyMCE versions prior to 5.11.1 TinyMCE versions prior to 7.9.3 TinyMCE versions prior to 8.5.1
Description A stored Cross-Site Scripting (XSS) issue exists via forged mce:protected comments. This allows attackers to bypass sanitization and inject scripts that execute when content is restored. The issue impacts users who utilize the protect option.
Recommendations Update to version 5.11.1 Update to version 7.9.3 Update to version 8.5.1

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-47762
GHSA-V98H-VMPC-FPQV

Affected Products

Tinymce