View all Vulnerabilities

CVE-2026-47759

Content Spoofing
Affects
TinyMCE
in
TinyMCE
No items found.
Versions
<5.11.1, >=6.0.0 <7.9.3, >=8.0.0 <8.5.1
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

TinyMCE is a popular open-source, web-based rich text editor (WYSIWYG) that allows developers to embed an editable content area into web applications. It converts HTML elements into editable regions and provides a wide range of formatting, content insertion, and plugin capabilities.

A high-severity stored Cross-Site Scripting (XSS) vulnerability (CVE-2026-47759) has been identified in TinyMCE. The editor uses internal data-mce- prefixed attributes such as data-mce-href, data-mce-src, and data-mce-style to retain original values during editing. An attacker can supply content that pairs a safe normal attribute with a malicious prefixed attribute (for example a data-mce-href carrying a javascript: URL). The parser validates the safe attribute but preserves the unsanitized prefixed value, and TinyMCE later serializes that prefixed value back into the unprefixed attribute, so the stored content can execute arbitrary JavaScript when rendered.

Per OWASP, Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites; they occur when an attacker uses a web application to send malicious code, generally in the form of a browser-side script, to a different end user.

Details

Module Info

Vulnerability Info

This high-severity vulnerability allows stored XSS through unsanitized data-mce- prefixed attributes.

TinyMCE retains certain original attribute values internally using data-mce- prefixed copies. The vulnerable parser validates the visible, unprefixed attribute but does not sanitize the prefixed counterpart. During serialization, TinyMCE restores the retained data-mce-href, data-mce-src, and data-mce-style values back into the live href, src, and style attributes, overriding the validated value with attacker-controlled content.

This vulnerability could be exploited by:

  • supplying a safe unprefixed attribute alongside a malicious data-mce-href, data-mce-src, or data-mce-style attribute
  • embedding a javascript: URL or other script payload in the prefixed attribute
  • storing the content so it executes when the serialized output is later rendered and interacted with

The upstream fix adds a parser attribute filter that strips data-mce-src, data-mce-href, and data-mce-style before TinyMCE's retained-attribute handling can restore them during serialization.

Mitigation

TinyMCE versions that are End-of-Life will not receive any updates to address this issue from the upstream maintainers.

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected applications to a fixed version of TinyMCE.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credits

Pink arrow
Pink arrow
CVE-2024-29203
CVE-2024-29881
CVE-2026-47759
CVE-2026-47760
CVE-2026-47761
CVE-2026-47762
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
High
ID
CVE-2026-47759
PROJECT Affected
TinyMCE
Versions Affected
<5.11.1, >=6.0.0 <7.9.3, >=8.0.0 <8.5.1
NES Versions Affected
Published date
June 11, 2026
≈ Fix date
June 8, 2026
Fixed in
NES for TinyMCE
Category
Content Spoofing
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for TinyMCE
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.