HIGH 8.7

CVE-2026-47759: TinyMCE Stored XSS via data-mce-* Attributes (8.7 HIGH)

TinyMCE, a widely-used open-source rich text editor, contains a stored cross-site scripting (XSS) vulnerability in versions before 5.11.1, 7.9.3, and 8.5.1. Authenticated attackers can craft malicious content that exploits unsanitized data-mce-* attributes (such as data-mce-href, data-mce-src, and data-mce-style) to inject and persist malicious scripts. When the editor serializes the content, attackers' payloads override legitimate attribute protections, allowing arbitrary JavaScript execution in users' browsers. The vulnerability requires user interaction and authentication but affects all users viewing the injected content.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.7 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Weaknesses (CWE)
CWE-79
Affected products
1 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via unsanitized data-mce-* attributes (data-mce-href, data-mce-src, data-mce-style). Allows attackers to inject malicious values that override safe attributes during serialization, bypassing validation. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from insufficient sanitization of custom TinyMCE data attributes during the serialization process. Specifically, data-mce-href, data-mce-src, and data-mce-style attributes are not properly validated before being written back into the document. An authenticated user with editor privileges can insert specially crafted values into these attributes. During serialization—when the editor converts its internal state back to HTML—these malicious values are not stripped or escaped, bypassing the validation controls designed to protect standard href, src, and style attributes. This allows injection of arbitrary HTML and JavaScript that persists in the database and executes in the context of any user viewing the content. The CVSS 3.1 score of 8.7 (HIGH) reflects the combination of network-based attack vector, low attack complexity, requirement for low-level privilege (authenticated user), required user interaction, and cross-site scope impact with high confidentiality and integrity risk.

Business impact

Organizations using TinyMCE in content management systems, blogs, collaboration platforms, or any application allowing user-generated rich text content face significant risk. A malicious editor or compromised editor account can inject persistent XSS payloads that affect all downstream viewers—potentially stealing session tokens, capturing keystrokes, redirecting users, or defacing content. In multi-tenant environments, a single compromised account could impact numerous end users. The attack is particularly dangerous because the payload is stored, meaning repeated exposure to unpatched systems increases harm accumulation. Customer trust, compliance posture (especially if handling regulated data), and operational continuity could all be compromised if sensitive user data is exfiltrated via XSS.

Affected systems

TinyMCE versions prior to 5.11.1 (legacy line), 7.9.3 (long-term support line), and 8.5.1 (current line) are affected. Any application embedding or integrating TinyMCE for rich text editing is potentially vulnerable if running an unpatched version. This includes content management platforms, customer support portals, marketing automation tools, knowledge management systems, and collaborative document editors. Organizations should inventory all instances of TinyMCE across their infrastructure—both direct integrations and those bundled within third-party applications—to determine exposure.

Exploitability

Exploitation requires authentication (an editor account or higher privilege) and user interaction (the victim must view content containing the injected payload). However, both barriers are relatively low in practical terms: many web applications grant editor roles broadly, and viewing user-generated content is routine. The attack is not wormable—each payload requires intentional placement—but a single malicious editor can affect many viewers. No public exploit code or active exploitation has been identified at the time of this analysis, and the vulnerability is not yet tracked in CISA's Known Exploited Vulnerabilities catalog, reducing immediate real-world risk. Nevertheless, the straightforward nature of the attack (attribute injection during serialization) means weaponized proof-of-concept code could emerge rapidly once the fix is widely understood.

Remediation

Upgrade to TinyMCE 5.11.1, 7.9.3, or 8.5.1 or later, depending on your current branch. For users unable to patch immediately, restrict editor privileges to trusted personnel, implement Content Security Policy (CSP) headers to mitigate XSS impact, and consider disabling custom data attributes if not required by your application. Code review of any custom TinyMCE plugins or integrations may reveal similar sanitization gaps. Input validation and output encoding should be reinforced at the application layer as defense-in-depth.

Patch guidance

Identify all TinyMCE instances by version number. Check your package manager (npm, yarn, composer, etc.), vendor package repositories, and bundled instances within third-party applications. Plan a phased rollout: prioritize high-traffic or sensitive content applications first. Test thoroughly in staging—particularly any custom plugins, toolbar configurations, or serialization hooks—before rolling out to production. For npm-based projects, run `npm update tinymce` and verify the resulting version matches 5.11.1, 7.9.3, or 8.5.1 or later. Review TinyMCE's official release notes for any breaking changes or deprecations in your target version. For air-gapped or offline deployments, verify patch availability through your vendor's advisory or download mirrors before committing to a timeline.

Detection guidance

Monitor application logs for editor activity involving unusual data-mce-* attribute values, particularly those containing script tags, event handlers (onclick, onerror), or protocol schemes (javascript:, data:). Web application firewalls (WAFs) can detect patterns matching XSS payloads in POST requests to editor endpoints. Look for stored XSS indicators: unusual HTML in database records, particularly in fields edited via TinyMCE, and subsequent alerts from browser-based XSS detection (CSP violations, sanitizer logs). Check for DOM-based alerts where malicious data-mce-* attributes are being read and executed. Correlate editor login events with high volumes of content submissions or modifications. For post-incident analysis, audit content revision history and compare serialized HTML output before and after suspicious edit timestamps.

Why prioritize this

While not yet in active exploitation, this vulnerability merits prompt attention due to its stored nature (persistent across all viewers), broad applicability (TinyMCE is ubiquitous in web applications), and low barrier to exploitation (requires only authenticated access and user viewing). The 8.7 CVSS score reflects high integrity and confidentiality impact. Patching before widespread public tooling emerges will significantly reduce risk. Organizations with public-facing or multi-user content systems should prioritize within 30 days; those with tightly controlled internal editors may extend to 60 days if compensating controls are in place.

Risk score, explained

The CVSS 3.1 score of 8.7 (HIGH) is driven by: (1) network attack vector—exploitation occurs via HTTP/HTTPS; (2) low attack complexity—no special conditions or tools required, just attribute injection; (3) low privilege requirement—an authenticated user role (which many applications distribute liberally) suffices; (4) required user interaction—the victim must view the malicious content, but this is routine in collaborative systems; (5) changed scope—the injected script executes in the context of other users' browsers, affecting confidentiality and integrity beyond the editor's session; (6) high confidentiality and integrity impact—stolen session cookies, credential harvesting, or content manipulation are feasible; (7) no availability impact. The score reflects a serious but not critical vulnerability: widespread but not trivial to trigger.

Frequently asked questions

Does this vulnerability require the attacker to have administrative access?

No. Any user with editor privileges (typically a 'contributor' or 'editor' role in content management systems) can exploit this. If your application grants editor roles to many users, or if editor accounts are compromised via phishing or weak passwords, the risk surface is substantially larger.

Can this vulnerability be exploited by an unauthenticated attacker?

No. The vulnerability explicitly requires authentication. However, some web applications offer free registration with immediate editor privileges, effectively lowering the barrier. Additionally, compromised user accounts (via password reuse, credential stuffing, or social engineering) make this concern more practical.

Will upgrading TinyMCE break my custom plugins or configuration?

Unlikely, but possible. Review TinyMCE's release notes for your specific version jump. Major version upgrades (e.g., 7.x to 8.x) occasionally introduce breaking changes. Test thoroughly in a staging environment that mirrors your production setup, including any custom plugins, toolbar buttons, and serialization hooks, before deploying to production.

If I implement a strong Content Security Policy (CSP), am I protected from this vulnerability?

CSP provides important defense-in-depth mitigation by restricting inline script execution and controlling allowed script sources. However, CSP is not a substitute for patching. Depending on your CSP configuration, some XSS payloads might still succeed (e.g., if CSP allows unsafe-inline or trusted external domains). Patch the vulnerability directly while using CSP as a supplementary control.

This analysis is based on vendor-supplied information and CVE metadata current as of the publication date. SEC.co does not provide legal, compliance, or formal risk assessment advice. Organizations should verify patch availability and compatibility with their specific deployment, conduct internal testing, and consult their security and compliance teams before implementing changes. The absence of a vulnerability from CISA's KEV catalog or public exploit code does not imply absence of real-world risk. Always prioritize patching based on your asset criticality and threat landscape, not solely on KEV status. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).