View all Vulnerabilities

CVE-2026-47761

Content Spoofing
Affects
TinyMCE
in
TinyMCE
No items found.
Versions
<5.11.1, >=6.0.0 <7.9.3, >=8.0.0 <8.5.1
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

TinyMCE is a popular open-source, web-based rich text editor (WYSIWYG) that allows developers to embed an editable content area into web applications. It converts HTML elements into editable regions and provides a wide range of formatting, content insertion, and plugin capabilities.

A high-severity stored Cross-Site Scripting (XSS) vulnerability (CVE-2026-47761) has been identified in TinyMCE's media plugin. With the media plugin enabled, TinyMCE trusts internal-looking placeholder attributes such as data-mce-object and data-mce-p-*. A crafted placeholder using data-mce-object together with a data-mce-p-onclick attribute is unprefixed by the media plugin during serialization into a real onclick attribute, so attacker-controlled JavaScript executes when the stored output is rendered and interacted with.

Per OWASP, Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites; they occur when an attacker uses a web application to send malicious code, generally in the form of a browser-side script, to a different end user.

Details

Module Info

Vulnerability Info

This high-severity vulnerability allows stored XSS for users of TinyMCE with the media plugin enabled.

The media plugin represents embedded media as placeholder elements that carry internal data-mce-object and data-mce-p-* attributes describing the real media element and its attributes. When serializing content, the plugin reconstructs the media element from these placeholder attributes, unprefixing each data-mce-p-* attribute into a live attribute. Because the placeholder attributes are trusted without sanitization, an attacker can smuggle an event handler such as data-mce-p-onclick that becomes a real onclick attribute on the reconstructed element.

This vulnerability could be exploited by:

  • crafting a placeholder element with data-mce-object and malicious data-mce-p-* attributes (for example data-mce-p-onclick)
  • having TinyMCE serialize the content so the prefixed attributes are unprefixed into live event handlers
  • storing the output so the injected handler executes when the content is rendered and clicked

The upstream fix ensures that media placeholder data-mce-object reconstruction is properly sanitized before placeholders are replaced with real media elements.

Mitigation

TinyMCE versions that are End-of-Life will not receive any updates to address this issue from the upstream maintainers.

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected applications to a fixed version of TinyMCE.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credits

Pink arrow
Pink arrow
CVE-2024-29203
CVE-2024-29881
CVE-2026-47759
CVE-2026-47760
CVE-2026-47761
CVE-2026-47762
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
High
ID
CVE-2026-47761
PROJECT Affected
TinyMCE
Versions Affected
<5.11.1, >=6.0.0 <7.9.3, >=8.0.0 <8.5.1
NES Versions Affected
Published date
June 11, 2026
≈ Fix date
June 8, 2026
Fixed in
NES for TinyMCE
Category
Content Spoofing
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for TinyMCE
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.