CVE-2026-47760
Analyzed Analyzed - Analysis Complete
Cross-Site Scripting in TinyMCE Editor

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: GitHub, Inc.

Description
TinyMCE is an open source rich text editor. From 6.8.0 to before 7.1.0, TinyMCE contains an XSS vulnerability caused by improper SVG namespace scope handling in the sanitizer. A crafted payload using nested elements can bypass attribute sanitization and execute arbitrary JavaScript. This vulnerability is fixed in 7.1.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-47760
EUVD
EUVD-2026-32920
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tiny tinymce From 6.8.0 (inc) to 7.1.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Cross-Site Scripting (XSS) issue found in TinyMCE versions 6.8.0 through 7.0.x. It occurs because the sanitizer improperly handles the SVG namespace scope, allowing an attacker to craft a payload with nested elements that bypass attribute sanitization. This enables the execution of arbitrary JavaScript code.

Impact Analysis

The vulnerability can have a significant impact by allowing attackers to execute arbitrary JavaScript in the context of the affected application. This can lead to unauthorized access to sensitive information, compromise of data integrity, and potentially further attacks on users or systems interacting with the vulnerable TinyMCE editor.

Detection Guidance

There is no official detection method or specific commands provided to detect this vulnerability on your network or system.

Since the vulnerability involves a crafted payload exploiting improper SVG namespace scope handling in TinyMCE versions 6.8.0 through 7.0.x, detection would typically require inspecting web application inputs or logs for suspicious nested SVG elements or JavaScript payloads.

Compliance Impact

The vulnerability allows execution of arbitrary JavaScript code through a Cross-Site Scripting (XSS) attack, which can lead to unauthorized access or manipulation of sensitive data.

Such unauthorized access or data manipulation can impact the confidentiality and integrity of data, potentially causing non-compliance with data protection regulations like GDPR and HIPAA that require safeguarding personal and sensitive information.

Given the high severity and network-based attack vector, organizations using affected versions of TinyMCE may face increased risk of data breaches or exposure, which could result in regulatory penalties or legal consequences.

Mitigation Strategies

The primary mitigation step is to upgrade TinyMCE to version 7.1.0 or later, where the vulnerability has been fixed.

No official workaround is available, so applying the patch by updating the software is the recommended immediate action.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47760. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart