PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-47759 tinymce CVE debrief

TinyMCE, an open source rich text editor, contains a stored cross-site scripting (XSS) vulnerability in versions prior to 5.11.1, 7.9.3, and 8.5.1. The flaw exists in the handling of `data-mce-*` attributes (`data-mce-href`, `data-mce-src`, `data-mce-style`), which are not properly sanitized. Attackers can inject malicious values into these attributes that override safe attributes during the editor's serialization process, bypassing validation controls. This allows stored XSS payloads to execute when content is rendered. The vulnerability was published on May 28, 2026, and carries a CVSS 3.1 score of 8.7 (High). Affected version ranges include all versions below 5.11.1, versions 6.0.0 through 7.9.2, and versions 8.0.0 through 8.5.0. The vendor has released patched versions and published security advisories and release notes documenting the fixes.

Vendor
tinymce
Product
Unknown
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-28
Advisory published
2026-05-28
Advisory updated
2026-05-28

Who should care

Organizations using TinyMCE in web applications for user-generated content editing, particularly those allowing untrusted users to create or edit rich text content. Development teams maintaining applications with embedded TinyMCE instances across any of the affected version branches (5.x, 6.x-7.x, or 8.x). Security teams responsible for XSS prevention in content management systems, forums, email clients, or any application rendering user-supplied HTML from TinyMCE.

Technical summary

The vulnerability stems from improper sanitization of `data-mce-*` internal attributes used by TinyMCE during content serialization. These attributes (`data-mce-href`, `data-mce-src`, `data-mce-style`) are intended to preserve original values while the editor transforms content, but malicious values injected into these attributes can override the sanitized safe attributes in the final output. This bypasses the editor's validation mechanisms and results in stored XSS. The attack requires low privileges and user interaction, with network-based attack vector and changed scope per CVSS 3.1 scoring.

Defensive priority

high

Recommended defensive actions

  • Upgrade TinyMCE to version 5.11.1, 7.9.3, or 8.5.1 or later, depending on your current major version branch.
  • Review and sanitize any stored content that may have been created or edited using affected TinyMCE versions, as stored XSS payloads may persist in your database or content repository.
  • Implement Content Security Policy (CSP) headers as a defense-in-depth measure to mitigate the impact of any undiscovered XSS vectors.
  • Validate that your application does not rely on client-side sanitization alone; ensure server-side output encoding is applied when rendering user-generated content.
  • Monitor vendor security advisories for additional hardening recommendations or related security updates.

Evidence notes

CVE description confirms stored XSS via unsanitized data-mce-* attributes. CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N supports network attack vector with low attack complexity, low privileges required, user interaction required, and changed scope with high confidentiality and integrity impact. CPE criteria define three vulnerable version ranges: <5.11.1, 6.0.0 to <7.9.3, and 8.0.0 to <8.5.1. CWE-79 (Improper Neutralization of Input During Web Page Generation) identified as primary weakness. Vendor security advisory and release notes published by Tiny/ GitHub Security Advisories.

Official resources

2026-05-28