View all Vulnerabilities

CVE-2026-47762

Content Spoofing
Affects
TinyMCE
in
TinyMCE
No items found.
Versions
<5.11.1, >=6.0.0 <7.9.3, >=8.0.0 <8.5.1
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

TinyMCE is a popular open-source, web-based rich text editor (WYSIWYG) that allows developers to embed an editable content area into web applications. It converts HTML elements into editable regions and provides a wide range of formatting, content insertion, and plugin capabilities.

A high-severity stored Cross-Site Scripting (XSS) vulnerability (CVE-2026-47762) has been identified in TinyMCE's protected HTML handling. When the protect option is enabled, TinyMCE restores content from mce:protected HTML comments without checking that the decoded content actually matches a configured protect regular expression. An attacker can hide an encoded HTML payload inside an inert comment that survives an application's sanitization step, after which TinyMCE decodes and renders it so an injected event handler executes.

Per OWASP, Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites; they occur when an attacker uses a web application to send malicious code, generally in the form of a browser-side script, to a different end user.

Details

Module Info

Vulnerability Info

This high-severity vulnerability allows stored XSS for users who enable the protect option.

The protect option lets applications configure regular expressions for content that TinyMCE should preserve verbatim by encoding it inside mce:protected HTML comments. The vulnerable implementation decodes any comment beginning with mce:protected and marks the decoded result as raw HTML, without verifying that the decoded content actually matches a configured protect pattern. Because inert HTML comments commonly survive an application's own sanitization step, an attacker can forge a comment carrying an encoded payload that TinyMCE then decodes into live, executable markup.

This vulnerability could be exploited by:

  • forging an inert HTML comment that begins with mce:protected and contains an encoded HTML payload (for example an image element with an onerror handler)
  • passing the forged comment through an application sanitizer that leaves comments intact
  • having TinyMCE decode and restore the comment into raw HTML that executes when rendered

The upstream fix moves protected-comment restoration into a dedicated output filter that validates decoded mce:protected content against the configured protect regular expressions and removes forged comments that do not match.

Mitigation

TinyMCE versions that are End-of-Life will not receive any updates to address this issue from the upstream maintainers.

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected applications to a fixed version of TinyMCE.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credits

Pink arrow
Pink arrow
CVE-2024-29203
CVE-2024-29881
CVE-2026-47759
CVE-2026-47760
CVE-2026-47761
CVE-2026-47762
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
High
ID
CVE-2026-47762
PROJECT Affected
TinyMCE
Versions Affected
<5.11.1, >=6.0.0 <7.9.3, >=8.0.0 <8.5.1
NES Versions Affected
Published date
June 11, 2026
≈ Fix date
June 8, 2026
Fixed in
NES for TinyMCE
Category
Content Spoofing
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for TinyMCE
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.