CVE-2026-47762
HIGHTinyMCE Cross-Site Scripting (XSS) vulnerability through `mce:protected` comments
Title source: cnaDescription
TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via forged mce:protected comments. Allows attackers to bypass sanitization and inject scripts that execute when content is restored. Impacts users who utilize the protect option. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/tinymce/tinymce/security/advisories/GHSA-v98h-vmpc-fpqv
X_Refsource_Misc x_refsource_misc
https://www.tiny.cloud/docs/tinymce/7/7.9.3-release-notes/#overview
X_Refsource_Misc x_refsource_misc
https://www.tiny.cloud/docs/tinymce/8/8.5.1-release-notes/#overview
Scores
CVSS v3
8.7
EPSS
0.0020
EPSS Percentile
9.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-79
Status
published
Products (14)
npm/tinymce
0npm
npm/tinymce
6.0.0 - 7.9.3npm
npm/tinymce
8.0.0 - 8.5.1npm
nuget/TinyMCE
0NuGet
nuget/TinyMCE
6.0.0 - 7.9.3NuGet
nuget/TinyMCE
8.0.0 - 8.5.1NuGet
tiny/tinymce
< 5.11.1
tinymce/tinymce
0Packagist
tinymce/tinymce
6.0.0 - 7.9.3Packagist
tinymce/tinymce
8.0.0 - 8.5.1Packagist
... and 4 more
Published
May 28, 2026
Tracked Since
May 28, 2026