View all Vulnerabilities

CVE-2026-47760

Content Spoofing
Affects
TinyMCE
in
TinyMCE
No items found.
Versions
>=6.8.0 <7.1.0
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

TinyMCE is a popular open-source, web-based rich text editor (WYSIWYG) that allows developers to embed an editable content area into web applications. It converts HTML elements into editable regions and provides a wide range of formatting, content insertion, and plugin capabilities.

A high-severity Cross-Site Scripting (XSS) vulnerability (CVE-2026-47760) has been identified in TinyMCE's sanitizer due to improper SVG namespace scope handling. A crafted payload that begins with nested <svg> elements can leave the sanitizer treating a following HTML sibling as SVG-scoped, allowing an attacker-controlled event attribute to survive sanitization. When the sanitized output is later rendered, the event handler executes arbitrary JavaScript in the page context.

Per OWASP, Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites; they occur when an attacker uses a web application to send malicious code, generally in the form of a browser-side script, to a different end user.

Details

Module Info

Vulnerability Info

This high-severity vulnerability allows sanitization bypass and XSS through nested SVG namespace confusion.

TinyMCE's sanitizer tracks the SVG namespace scope as it walks parsed content so that SVG-specific elements and attributes are handled differently from HTML. A payload that opens nested <svg> elements can corrupt this namespace tracking, so that an HTML element following the SVG block is incorrectly treated as still being SVG-scoped. Because of this scope confusion, an attacker-controlled event attribute on the following element is not stripped during sanitization.

This vulnerability could be exploited by:

  • supplying content that begins with nested <svg> elements (for example two nested, empty SVG elements)
  • following the nested SVG block with an HTML element that carries a malicious event handler (such as an image element with an onerror handler)
  • having the sanitized output rendered, at which point the surviving event handler executes

The upstream fix corrects the namespace scope tracking through a rewrite of the affected sanitizer code.

Mitigation

TinyMCE versions that are End-of-Life will not receive any updates to address this issue from the upstream maintainers.

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected applications to a fixed version of TinyMCE.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credits

Pink arrow
Pink arrow
CVE-2024-29203
CVE-2024-29881
CVE-2026-47759
CVE-2026-47760
CVE-2026-47761
CVE-2026-47762
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
High
ID
CVE-2026-47760
PROJECT Affected
TinyMCE
Versions Affected
>=6.8.0 <7.1.0
NES Versions Affected
Published date
June 11, 2026
≈ Fix date
June 8, 2026
Fixed in
NES for TinyMCE
Category
Content Spoofing
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for TinyMCE
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.