CVE-2026-47759
Stored XSS in TinyMCE Editor via data-mce- Attributes
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tinymce | tinymce | to 5.11.1 (exc) |
| tinymce | tinymce | From 6.0.0 (inc) to 6.8.6 (inc) |
| tinymce | tinymce | From 7.0.0 (inc) to 7.9.3 (exc) |
| tinymce | tinymce | From 8.0.0 (inc) to 8.5.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a stored cross-site scripting (XSS) issue that allows attackers to inject malicious code, potentially impacting the confidentiality and integrity of data handled by TinyMCE.
Such impacts on confidentiality and integrity could have implications for compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and prevention of unauthorized access or data manipulation.
However, the provided information does not explicitly discuss or detail how this vulnerability affects compliance with these or other common standards and regulations.
Can you explain this vulnerability to me?
CVE-2026-47759 is a stored Cross-Site Scripting (XSS) vulnerability in TinyMCE, an open source rich text editor.
The vulnerability arises from unsanitized data-mce-* attributes such as data-mce-href, data-mce-src, and data-mce-style, which allow attackers to inject malicious code.
These malicious values can override safe attributes during serialization, bypassing validation and enabling stored XSS attacks.
The affected versions include TinyMCE 5.x (below 5.11.1), 6.x (6.0.0 to 6.8.6), 7.x (7.0.0 to 7.9.2), and 8.x (8.0.0 to 8.5.0).
The issue was discovered by Tadi Kadango and Ivan Babenko and fixed in versions 5.11.1, 7.9.3, and 8.5.1 by stripping unsafe data-mce-* attributes during parsing.
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute malicious scripts in the context of the affected application by injecting code through unsanitized attributes.
Because it is a stored XSS vulnerability, the malicious code can persist and affect multiple users who access the compromised content.
The CVSS score of 8.7 indicates a high severity, with impacts on confidentiality and integrity, potentially allowing attackers to steal sensitive information or manipulate data.
The attack can be performed remotely over the network with low complexity and requires only low privileges and user interaction.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade TinyMCE to a patched version that addresses this vulnerability.
- Upgrade to TinyMCE 5.11.1 if using the 5.x series.
- Upgrade to TinyMCE 7.9.3 if using the 7.x series.
- Upgrade to TinyMCE 8.5.1 if using the 8.x series.
These versions strip unsafe data-mce-* attributes during parsing to prevent exploitation of the stored XSS vulnerability.
No official workaround is available, so upgrading is the recommended immediate action.