HIGH 8.7

CVE-2026-47760: TinyMCE XSS Vulnerability (Versions 6.8.0–7.0.x)

TinyMCE, a widely used open-source rich text editor, contains a cross-site scripting (XSS) vulnerability in versions 6.8.0 through 7.0.x. The flaw stems from improper handling of SVG namespace scope within the editor's HTML sanitizer. An attacker with login access can craft malicious SVG payloads using nested elements that evade the sanitizer's attribute filtering, allowing them to inject and execute arbitrary JavaScript in the context of the application. The vulnerability requires user interaction (clicking or otherwise engaging with the crafted content) but can affect all users viewing that content once injected. This issue is resolved in TinyMCE 7.1.0.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.7 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Weaknesses (CWE)
CWE-79
Affected products
1 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

TinyMCE is an open source rich text editor. From 6.8.0 to before 7.1.0, TinyMCE contains an XSS vulnerability caused by improper SVG namespace scope handling in the sanitizer. A crafted payload using nested elements can bypass attribute sanitization and execute arbitrary JavaScript. This vulnerability is fixed in 7.1.0.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-47760 is an XSS vulnerability (CWE-79) affecting TinyMCE's HTML/SVG sanitization logic. The root cause is insufficient namespace scope validation when processing SVG elements during sanitization. An attacker can bypass attribute filtering by nesting SVG elements in ways that confuse the sanitizer's namespace tracking, effectively allowing dangerous attributes or event handlers to survive the sanitization process. The vulnerability exists in versions 6.8.0 through 7.0.x and requires authentication (PR:L in CVSS terms) but achieves high impact due to the ability to execute arbitrary JavaScript with the user's privileges (C:H, I:H). The attack vector is network-based with low complexity.

Business impact

Any application embedding TinyMCE in those version ranges faces a stored XSS risk if attackers or malicious insiders can author content. This threatens data confidentiality and integrity for all users who view that content. In collaborative environments, document sharing platforms, or CMS systems using vulnerable TinyMCE versions, a single compromised or malicious user account can be used to distribute malware, steal credentials, hijack sessions, or deface content at scale. The HIGH severity rating reflects the combination of network accessibility, authenticated but low-privilege attack path, and cross-origin capability (S:C).

Affected systems

TinyMCE versions 6.8.0 through 7.0.x are affected. Any application, plugin, theme, or SaaS platform that bundles or depends on TinyMCE within this version range—including content management systems, wiki software, helpdesk platforms, and document collaboration tools—is potentially vulnerable if users can create or edit rich-text content. Applications on older versions (pre-6.8.0) are unaffected; those on 7.1.0 or later are patched.

Exploitability

Exploitation requires authentication (the attacker must have editor/contributor privileges) and user interaction (the victim must view or interact with the malicious content). However, the CVSS score of 8.7 reflects that once those preconditions are met, the attack is reliable and nearly trivial to execute—a single crafted SVG payload can compromise any viewer. No special browser configuration or advanced techniques are required. The vulnerability is not currently tracked in CISA's Known Exploited Vulnerabilities (KEV) catalog, but the simplicity of the attack vector and the prevalence of TinyMCE suggest exploitation is likely in the wild.

Remediation

Upgrade TinyMCE to version 7.1.0 or later as soon as possible. Organizations should prioritize this patch in environments where non-admin users can edit content. For applications that cannot upgrade immediately, consider disabling rich-text editing for untrusted users, restricting editor access to trusted administrators only, or implementing additional output encoding/Content Security Policy headers as a temporary mitigation (not a substitute for patching).

Patch guidance

Apply TinyMCE 7.1.0 or a later version released after 2026-05-28. Verify the update through your package manager (npm, pip, composer, etc.) or by checking the official TinyMCE release notes. If TinyMCE is bundled within a larger application (CMS, plugin, etc.), wait for that vendor to release an updated package that includes TinyMCE 7.1.0; do not attempt manual version replacement unless you control the build process. Test the patched version in a staging environment to ensure editor functionality and any custom sanitization rules continue to work as expected.

Detection guidance

Monitor for TinyMCE instances in your applications; use software composition analysis (SCA) tools to flag versions 6.8.0–7.0.x in dependency trees. At runtime, inspect HTTP responses or DOM for script tags or event handlers injected into rich-text content areas that lack expected prefixes or sanitization. Review access logs for authenticated users creating or modifying content shortly before widespread viewing or reports of suspicious behavior. Content Security Policy (CSP) violations logged from the editor iframe can signal injection attempts if strict policies are in place.

Why prioritize this

This is a HIGH-severity flaw in a ubiquitous component. The combination of authenticated-but-low-privilege attack path, reliable exploitation, and high impact (arbitrary JavaScript execution) makes it a top remediation priority for any organization using TinyMCE in a multi-user or user-generated-content environment. The scope change (S:C) means the attacker's privileges can affect resources beyond the vulnerable component, amplifying risk. Immediate inventory and patching are essential.

Risk score, explained

The CVSS 3.1 score of 8.7 (HIGH) reflects: Network-based attack vector (AV:N), low complexity (AC:L), low privileges required (PR:L), required user interaction (UI:R), and changed scope (S:C) allowing the attacker to impact confidentiality and integrity at the application level (C:H, I:H). No availability impact (A:N) because XSS does not typically crash services. The high score is justified by the ease of exploitation once authentication is gained and the severity of undetected XSS in multi-user systems.

Frequently asked questions

Do I need to upgrade if I only allow administrators to use TinyMCE?

Reduced risk, but still recommended. If your admin accounts are compromised or if administrators are not fully trusted, the vulnerability remains exploitable. Additionally, future configurations or delegated permissions might expand editor access, so patching removes the risk entirely.

Is there a workaround if we cannot upgrade immediately?

Partial mitigation: implement a strict Content Security Policy that disallows inline scripts and event handlers, restrict editor access to a minimal set of trusted users, and apply output encoding to all rich-text content before display. However, these are not substitutes for patching—upgrade as soon as possible.

How does this differ from general XSS in a web application?

This is stored XSS injected through a legitimate application feature (the rich-text editor). It affects any user who views the compromised content, not just the attacker. This makes it particularly dangerous in collaborative or public-content platforms.

Will updating TinyMCE break my custom plugins or sanitization rules?

Version 7.1.0 is a minor version bump and should maintain API compatibility with 7.0.x. However, test in staging first, especially if you have custom sanitization logic, to ensure continued functionality.

This analysis is based on published CVE data and vendor advisory information current as of 2026-06-17. Security researchers and system administrators should verify all version numbers, patch availability, and deployment recommendations against official TinyMCE release notes and their own application documentation. SEC.co does not provide legal advice or guarantee the applicability of this guidance to your specific environment. Consult your organization's security team and vendor support channels for deployment decisions. Exploit code, proof-of-concept demonstrations, and weaponized payloads are not published here in accordance with responsible disclosure practices. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).