HIGH 8.7

CVE-2026-47761 TinyMCE Media Plugin Stored XSS Vulnerability – Patch & Detection Guide

TinyMCE, a widely-used open source rich text editor, contains a stored cross-site scripting (XSS) vulnerability in its media plugin. An authenticated attacker can inject malicious JavaScript by crafting specially formed data-mce-* HTML attributes within media content. When that content is later viewed or rendered by any user, the injected script executes in their browser with the privileges of the application. This is particularly dangerous because the malicious payload persists in the editor's content—it isn't just a temporary injection. Organizations using TinyMCE versions prior to 5.11.1, 7.9.3, or 8.5.1 with the media plugin active should prioritize upgrading immediately.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.7 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Weaknesses (CWE)
CWE-79
Affected products
1 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability in the media plugin. Attackers can inject malicious scripts via crafted data-mce-* attributes, which are executed when content is rendered. Impacts users of TinyMCE with the media plugin enabled. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in TinyMCE's media plugin handling of data-mce-* HTML attributes. These attributes, commonly used for media metadata and plugin-specific data storage, are not properly sanitized during rendering. An attacker with editor access (authenticated user) can construct malicious payloads within data-mce-* attributes that bypass content security filters. The stored nature of this XSS means the payload is persisted in the database or content store, ensuring execution whenever the content is loaded in any browser context where the application renders the media. The CVSS 3.1 score of 8.7 (HIGH) reflects network-reachable attack surface, low complexity, requirement for authentication (lower privilege assumed), and high impact on confidentiality and integrity—though availability is not directly affected. The vulnerability maps to CWE-79 (Improper Neutralization of Input During Web Page Generation).

Business impact

Stored XSS in a content editor creates several operational risks. Compromised media content can be used to steal user session tokens, perform phishing attacks against readers, deface web properties, or redirect users to malicious sites. In multi-tenant or collaborative environments, a single attacker with editor credentials can poison content viewed by thousands of users. Downstream applications and API consumers relying on TinyMCE-generated content may inadvertently propagate the malicious payload. Incident response, content remediation, and user notification costs can be significant. Additionally, regulatory or compliance requirements (GDPR, HIPAA, PCI-DSS) may be triggered if user data is exfiltrated via the XSS payload.

Affected systems

Any deployment of TinyMCE versions 5.x prior to 5.11.1, 7.x prior to 7.9.3, or 8.x prior to 8.5.1 is vulnerable if the media plugin is enabled. This includes self-hosted instances and any third-party applications or SaaS platforms that bundle TinyMCE. The vulnerability requires the attacker to have authenticated editor access—typically a user account with content creation or modification permissions. Organizations should audit all systems consuming TinyMCE, including legacy applications, internal tools, and content management systems (CMS), to determine their version and media plugin status.

Exploitability

Exploitation requires authentication, which reduces the immediately exploitable population to users or accounts with editor privileges. However, in many organizations this includes content contributors, marketing teams, and contractors—a potentially large group. An attacker with such credentials can inject the payload through the media plugin UI or directly via API calls if the application exposes content editing endpoints. The attack is reliably repeatable once the malicious content is stored, affecting all subsequent viewers. No special tools or advanced techniques are needed; basic HTML and JavaScript knowledge suffice. The payload executes automatically without user interaction beyond simply viewing the content, making it particularly dangerous. The vulnerability is not currently tracked in the CISA Known Exploited Vulnerabilities (KEV) catalog, but the straightforward nature and high impact suggest it may attract attention.

Remediation

Immediate action is to upgrade to the patched versions: 5.11.1, 7.9.3, or 8.5.1 or later, depending on your current branch. Organizations on the 5.x or 7.x branches that cannot immediately upgrade should verify the security update status in the vendor advisory and consider a temporary rollout plan. Until patched, restrict editor access to trusted users only, disable the media plugin if not essential, and implement strict Content Security Policy (CSP) headers to limit script execution. Review stored media content for signs of injection—look for suspicious data-mce-* attributes or encoded JavaScript. Conduct user awareness training to report unusual content or unexpected page behavior. Monitor TinyMCE release notes and your vendor's security bulletins for additional guidance.

Patch guidance

Verify your current TinyMCE version by checking package.json (npm) or your application's dependency manifest. For npm-managed installations, run 'npm update tinymce' to pull the latest version in your configured range, or explicitly install the fixed versions: npm install [email protected], [email protected], or [email protected]. For self-hosted or CDN-served versions, download the patched release directly from the official TinyMCE repository and replace the existing files. Test thoroughly in a staging environment first, especially if you have custom plugins or configurations. After deployment, verify the new version is loaded in production (check browser developer console or application logs for version string). For SaaS applications, check with your vendor for their patch timeline and security bulletin. If you cannot upgrade immediately, consult the vendor advisory for interim workarounds or compensating controls.

Detection guidance

Search stored content and media metadata for unusual data-mce-* attributes containing script tags, event handlers (onload, onerror, onclick), or encoded JavaScript. Use a SIEM or log analysis tool to look for suspicious pattern matches in content creation or modification logs—focus on editor accounts making changes outside normal business hours or with unusual payload sizes. Monitor web application firewalls (WAF) for requests containing data-mce-* parameters with JavaScript payloads. Implement or enhance CSP headers to log violations, which will capture execution attempts of injected scripts even if the payload persists in the database. Review user agent logs and referrer headers for signs of phishing or redirect attacks originating from your TinyMCE-powered content. Consider periodic content audits or automated scanning of media plugin data for known XSS patterns.

Why prioritize this

The HIGH CVSS score (8.7) combined with the authenticated-only requirement creates a medium-to-high priority for most organizations. Prioritize based on: (1) how many users have editor access, (2) whether your TinyMCE instance handles sensitive content or user data, (3) if the media plugin is actively used, and (4) audience size (large public-facing sites have higher blast radius). Environments with strict authentication controls and limited editor populations can schedule the patch in the next regular maintenance window. Public-facing platforms with many contributors or high-profile audiences should treat this as urgent and patch within one to two weeks. The fact that it is not yet in the KEV catalog suggests we are early in the disclosure window—exploit code may emerge as awareness grows.

Risk score, explained

The CVSS 3.1 score of 8.7 reflects: (1) Network-Accessible Attack Vector (AV:N) – the vulnerable code is reachable over the network via web UI or API, (2) Low Attack Complexity (AC:L) – no special conditions or timing needed, (3) Low Privilege Required (PR:L) – attacker needs valid editor credentials but not admin, (4) Required User Interaction (UI:R) – the victim must view or render the malicious content (automatic in most cases), (5) Changed Scope (S:C) – the XSS can affect users outside the original editor context, and (6) High Confidentiality and Integrity Impact (C:H, I:H) – attacker can steal data and modify page content. Availability is not affected (A:N) because the attack does not degrade service. The score appropriately reflects a serious but not critical vulnerability—it requires authentication but has broad downstream impact.

Frequently asked questions

Do I need editor credentials to be attacked by this vulnerability?

No, but the attacker does. An attacker with editor access (content contributor, marketing user, contractor, etc.) can inject the malicious payload once, and then any user viewing that media content is affected. You do not need credentials to be victimized; you need them to exploit it initially.

Is there a public exploit or is this being actively exploited in the wild?

As of the current date, this vulnerability is not listed in the CISA KEV catalog, and no public exploit code has been widely reported. However, the simplicity of the attack vector and the high impact mean exploit code may emerge quickly. Monitor your security feeds and the TinyMCE repository for any indicators of active exploitation.

Can I work around this without upgrading immediately?

Partial mitigation is possible: disable the media plugin if not essential, restrict editor access to fully trusted users, implement a strong Content Security Policy (CSP) header, and audit stored content for suspicious attributes. However, these controls do not eliminate the vulnerability—upgrading is the definitive fix. Workarounds buy time but should not delay your patch deployment indefinitely.

Does this affect only my own TinyMCE instance, or could it impact downstream consumers of my content?

If you serve content containing the malicious payload to other users or applications (via API, RSS, embedded widgets, etc.), they may be affected if they render that content without proper sanitization. The payload travels with the content, so the blast radius extends beyond your direct instance.

This analysis is provided for informational and defensive purposes only. All vulnerability data, CVSS scores, and affected version information are based on official vendor advisories and disclosures current as of the publish date. Organizations should verify their specific configurations and deployment against the upstream TinyMCE security bulletin before implementing patches. SEC.co does not verify exploit code or conduct live testing; detection and remediation guidance is based on industry best practices and the vulnerability's technical nature. Always test patches in a non-production environment first. This document does not constitute professional security advice; consult with your security team or a professional services firm for specific risk assessment and remediation planning tailored to your environment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).