TinyMCE XSS: Four Sanitization Bypass CVEs (CVE-2026-47759 to 47762)

On May 28, 2026, four cross-site scripting vulnerabilities in the TinyMCE rich-text editor were published to NVD (GitHub, the CNA, published the underlying advisories on May 20): CVE-2026-47759, CVE-2026-47760, CVE-2026-47761, and CVE-2026-47762. All four are stored or DOM-based XSS (CWE-79) caused by gaps in TinyMCE's content sanitization, and all four carry the same dual scoring: GitHub, the CNA, scored each at 8.7 (High, CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N), while NVD scored each at 5.4 (Medium, CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). Each requires a user with editor access (PR:L) to supply crafted content and a victim to render it (UI:R). The fixes landed in 7.9.3 and 8.5.1 on the supported open-source lines, and in 5.11.1 on the 5.x LTS line, which is available only under a commercial Tiny long-term support contract. There is no fix on the open-source TinyMCE 6.x line: 6.8.6 remains the final 6.x release, so applications pinned to TinyMCE 6 have no same-major upgrade path.

Running TinyMCE 6 with no upgrade path? TinyMCE 6 is end of life and received no fix for these four CVEs. See TinyMCE 6 End of Life: Unpatched XSS Vulnerabilities and What to Do Now.

‍

The four TinyMCE XSS vulnerabilities at a glance

All four are Cross-Site Scripting (XSS) flaws classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). They share one root pattern: TinyMCE accepts content (typed, pasted, or programmatically set), runs it through its sanitizer, and the sanitizer fails to neutralize a specific construct. When the editor or the embedding application later renders that content, the construct executes JavaScript in the application's origin. The four sections below break down each CVE individually; the shared severity, affected-version, and mitigation detail follows.

CVE-2026-47759: TinyMCE XSS via data-mce- prefixed attributes

CVE-2026-47759 (GHSA-q742-qvgc-gc2f) is a stored XSS sanitization bypass through data-mce- prefixed src, href, and style attributes. TinyMCE uses internal data-mce- attributes to round-trip values it intends to restore on output, for example preserving a URL while the content is being edited. The sanitizer did not consistently re-validate these attributes on the way back out, so a crafted data-mce-src or data-mce-href value could carry a scriptable URI (such as a javascript: URI) into the rendered DOM. An attacker who can submit editor content sets the prefixed attribute; when a victim renders the content, the restored attribute executes script in the application origin. CNA score: 8.7 High. NVD score: 5.4 Medium. Both use vector base AV:N/AC:L/PR:L/UI:R/S:C and differ only on impact.

CVE-2026-47760: TinyMCE XSS via nested SVG sanitization bypass

CVE-2026-47760 (GHSA-mh5m-5hw4-5c69) is a stored XSS sanitization bypass through nested SVG elements. Deeply or unusually nested SVG structure evaded the element and attribute filtering that would otherwise strip scriptable content, allowing event-handler attributes or script-bearing SVG constructs to survive sanitization. When the resulting markup is rendered, the SVG payload executes JavaScript in the application origin. This CVE is recorded with the narrowest version range of the four: the advisory introduces it at 6.8.0 and fixes it at 7.1.0, so it affects only the >=6.8.0 <7.1.0 range and does not affect the later 7.x or 8.x releases. An attacker who can submit editor content supplies the nested-SVG payload; a victim rendering the content triggers execution. CNA score: 8.7 High. NVD score: 5.4 Medium.

CVE-2026-47761: TinyMCE XSS via media plugin data-mce-object injection

CVE-2026-47761 (GHSA-vg35-5wq7-3x7w) is a stored XSS injection through the media plugin's data-mce-object attribute. The media plugin stores a serialized representation of embedded objects (video, iframe, and similar embeds) in data-mce-object. A crafted value in that attribute was reflected back into the DOM without adequate sanitization, so an attacker could embed a malicious object representation that materializes as live, script-bearing markup on render. Applications that enable the media plugin and accept third-party editor content are the realistic exposure here. An attacker who can submit content through the media plugin supplies the crafted data-mce-object value; a victim rendering the embed triggers execution in the application origin. CNA score: 8.7 High. NVD score: 5.4 Medium.

CVE-2026-47762: TinyMCE XSS via mce:protected comment injection

CVE-2026-47762 (GHSA-v98h-vmpc-fpqv) is a stored XSS injection through mce:protected comments. TinyMCE wraps certain content in protected-comment markers to preserve it through processing without altering it. A crafted protected comment survived sanitization and rendered as live markup rather than inert preserved content, turning a preservation mechanism into an injection channel. An attacker who can submit editor content embeds a malicious mce:protected comment; when a victim renders the content, the protected payload executes script in the application origin. CNA score: 8.7 High. NVD score: 5.4 Medium.

‍

Severity and exploit conditions

All four CVEs share the same CVSS exploitability profile and the same scoring divergence between the CNA and NVD. The two records agree on every exploitability metric and on Scope; they differ only on the C/I impact magnitude.

The only divergence is impact: the GitHub CNA assigns C:H/I:H (full script execution in the application origin, hence the 8.7 High rating), while NVD assigns C:L/I:L (limited confidentiality and integrity impact, hence the 5.4 Medium rating). The technical basis for the divergence is the assessment of what a single XSS execution yields in a typical deployment: the CNA scores the upper bound of what JavaScript in the application origin can reach, while NVD scores a more conservative direct impact. Both records agree the flaw is real, network-reachable, and authentication-gated at PR:L. Treat the PR:L requirement as a genuine precondition: these are not unauthenticated vulnerabilities. The realistic threat model is a multi-tenant or user-generated-content application where a low-privilege user (a commenter, a contributor, a CMS author) supplies content that an administrator or another user later renders.

What an attacker can do

A user who can submit content into a vulnerable TinyMCE instance can craft input that bypasses one of the four sanitization paths. When a victim renders that content, the injected script executes in the victim's session within the application's origin. Concretely, that enables:

• Session hijacking: read and exfiltrate authentication cookies (where not HttpOnly) or session-bound tokens held in localStorage or sessionStorage.
• Credential and data theft: scrape any data the victim's browser can reach in the application origin, including form fields and rendered PII.
• Account actions on behalf of the victim: issue authenticated requests (CSRF-token-bearing, since the script runs in-origin) to perform state changes the victim is authorized for, such as changing an email address or escalating a role.
• Defacement and phishing: rewrite the rendered DOM to display fraudulent content or harvest credentials through an injected form.

The injection vector differs per CVE (a data-mce-href/data-mce-src payload for 47759, a nested <svg> payload for 47760, a crafted data-mce-object value for 47761, a malicious mce:protected comment for 47762), but the downstream impact is identical because all four end in arbitrary script execution in the application origin.

‍

Who is affected? TinyMCE affected versions

The vulnerable code is present across the 5.x, 6.x, 7.x, and 8.x lines. The fixes landed in 5.11.1 (commercial LTS), 7.9.3, and 8.5.1. CVE-2026-47760 (nested SVG) is recorded with a narrower introduced range than the other three; the table reflects the per-CVE ranges from the published advisories. A scanner reporting only "6.8.5, 6.8.6" is showing an installed-version match, not the full affected range: the advisories cover the full 6.x line and earlier.

The critical gap is the open-source TinyMCE 6 line. The final 6.x release is 6.8.6, and no patched 6.x build exists for any of these four CVEs. Any application pinned to TinyMCE 6 must either complete a major-version upgrade to 7.9.3 or later (which carries known migration cost), purchase a commercial Tiny LTS contract to move onto a patched 5.11.1 branch, or apply a remediation that does not require a major-version jump.

‍

Mitigation guidance

Defense-in-depth note: a strict CSP that disallows unsafe-inline script and an output-side sanitization pass (for example, server-side DOMPurify on stored editor content before render) materially reduce the blast radius of all four bypasses, but they are mitigations, not substitutes for the patch.

‍

Taking action

Four XSS sanitization bypasses in one disclosure is a reminder that a content sanitizer is a security boundary, and every feature that round-trips content (internal data-mce- attributes, SVG handling, the media plugin, protected comments) is a place that boundary can fail. Applications on TinyMCE 7 or 8 have a clean answer: upgrade to 7.9.3 or 8.5.1.

Applications on the open-source TinyMCE 6 line do not. The 6.x line is end of life, 6.8.6 is the last release, and none of these four CVEs were fixed on it. The patched 5.11.1 release exists only under a commercial Tiny LTS contract, so a free 6.x user's upstream choices are a forced major-version migration or a paid LTS subscription. If neither is immediately viable, you are running known, network-reachable XSS with no upstream patch. Review your options in TinyMCE 6 End of Life: Unpatched XSS Vulnerabilities and What to Do Now, and reach out to HeroDevs to discuss a remediation path for TinyMCE 6 that does not force an emergency migration.