By vendor

Tiny vulnerabilities

Known CVEs affecting Tiny products, prioritized by severity, with SEC.co remediation and detection guidance.

4 published vulnerabilities

  • CVE-2026-47759HIGH 8.7

    TinyMCE, a widely-used open-source rich text editor, contains a stored cross-site scripting (XSS) vulnerability in versions before 5.11.1, 7.9.3, and 8.5.1. Authenticated attackers can craft malicious content that exploits unsanitized data-mce-* attributes (such as data-mce-href, data-mce-src, and data-mce-style) to inject and persist malicious scripts. When the editor serializes the content, attackers' payloads override legitimate attribute protections, allowing arbitrary JavaScript execution in users' browsers. The vulnerability requires user interaction and authentication but affects all users viewing the injected content.

  • CVE-2026-47760HIGH 8.7

    TinyMCE, a widely used open-source rich text editor, contains a cross-site scripting (XSS) vulnerability in versions 6.8.0 through 7.0.x. The flaw stems from improper handling of SVG namespace scope within the editor's HTML sanitizer. An attacker with login access can craft malicious SVG payloads using nested elements that evade the sanitizer's attribute filtering, allowing them to inject and execute arbitrary JavaScript in the context of the application. The vulnerability requires user interaction (clicking or otherwise engaging with the crafted content) but can affect all users viewing that content once injected. This issue is resolved in TinyMCE 7.1.0.

  • CVE-2026-47761HIGH 8.7

    TinyMCE, a widely-used open source rich text editor, contains a stored cross-site scripting (XSS) vulnerability in its media plugin. An authenticated attacker can inject malicious JavaScript by crafting specially formed data-mce-* HTML attributes within media content. When that content is later viewed or rendered by any user, the injected script executes in their browser with the privileges of the application. This is particularly dangerous because the malicious payload persists in the editor's content—it isn't just a temporary injection. Organizations using TinyMCE versions prior to 5.11.1, 7.9.3, or 8.5.1 with the media plugin active should prioritize upgrading immediately.

  • CVE-2026-47762HIGH 8.7

    TinyMCE, a widely-used open-source rich text editor, contains a stored cross-site scripting (XSS) vulnerability that allows authenticated attackers to inject malicious scripts into protected content. The flaw exists in how the editor processes specially crafted comments marked with the mce:protected tag, bypassing built-in sanitization controls. When a user later restores or views the protected content, the injected script executes in their browser. This affects users who have enabled TinyMCE's protect option, a feature designed to mark content as requiring special handling. The vulnerability has been patched in versions 5.11.1, 7.9.3, and 8.5.1.