These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
TinyMCE, an open source rich text editor, contains a stored cross-site scripting (XSS) vulnerability in versions prior to 5.11.1, 7.9.3, and 8.5.1. The flaw exists in the handling of forged `mce:protected` HTML comments, which can be manipulated to bypass the editor's sanitization mechanisms. When content containing these malicious comments is later restored, embedded scripts execute in the victim's brows [truncated]
TinyMCE versions prior to 5.11.1, 7.9.3, and 8.5.1 contain a stored cross-site scripting (XSS) vulnerability in the media plugin. Attackers can inject malicious scripts through crafted data-mce-* attributes, which execute when content is rendered. This affects users with the media plugin enabled. The vulnerability was disclosed on 2026-05-28 and carries a HIGH severity CVSS score of 8.7.
TinyMCE versions 6.8.0 through 7.0.x contain a high-severity cross-site scripting (XSS) vulnerability in the editor's sanitizer component. The flaw stems from improper handling of SVG namespace scope, allowing crafted payloads with nested elements to bypass attribute sanitization and execute arbitrary JavaScript. This vulnerability was disclosed and fixed in version 7.1.0. The CVSS 3.1 score of 8.7 reflec [truncated]
TinyMCE, an open source rich text editor, contains a stored cross-site scripting (XSS) vulnerability in versions prior to 5.11.1, 7.9.3, and 8.5.1. The flaw exists in the handling of `data-mce-*` attributes (`data-mce-href`, `data-mce-src`, `data-mce-style`), which are not properly sanitized. Attackers can inject malicious values into these attributes that override safe attributes during the editor's seri [truncated]