CVE-2026-47762: TinyMCE Stored XSS via Protected Comments – CVSS 8.7 HIGH
TinyMCE, a widely-used open-source rich text editor, contains a stored cross-site scripting (XSS) vulnerability that allows authenticated attackers to inject malicious scripts into protected content. The flaw exists in how the editor processes specially crafted comments marked with the mce:protected tag, bypassing built-in sanitization controls. When a user later restores or views the protected content, the injected script executes in their browser. This affects users who have enabled TinyMCE's protect option, a feature designed to mark content as requiring special handling. The vulnerability has been patched in versions 5.11.1, 7.9.3, and 8.5.1.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.7 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via forged mce:protected comments. Allows attackers to bypass sanitization and inject scripts that execute when content is restored. Impacts users who utilize the protect option. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability is a stored XSS flaw (CWE-79) in TinyMCE's content protection mechanism. Attackers with authenticated access can craft malicious mce:protected comments that evade the editor's content sanitization filters. Because the malicious payload is stored server-side as part of the protected content metadata, it persists across sessions. When the editor restores or renders protected content, the script executes with the privileges of the viewing user, potentially in a cross-site context depending on deployment. The root cause appears to be insufficient validation or encoding of data within the mce:protected comment wrapper, allowing comment syntax to contain unfiltered script payloads that are later unwrapped and executed.
Business impact
Organizations using TinyMCE-based document editors, content management systems, or form builders face session hijacking, credential theft, and data exfiltration risks if attackers gain authenticated access. Because the payload is stored and triggered on view, the attack surface extends to all users who subsequently access the compromised content—not just the initial editor. In multi-tenant environments or shared document platforms, a single compromised record can affect many downstream users. Remediation requires patching and potentially invalidating or re-validating existing protected content that may have been maliciously modified.
Affected systems
All deployments of TinyMCE versions prior to 5.11.1 (legacy branch), 7.9.3 (mid-term), and 8.5.1 (current) are affected. The vulnerability only manifests when the protect option is enabled in the editor configuration. Organizations should identify which applications and instances embed TinyMCE and whether they use content protection features. Third-party integrations—including WordPress plugins, CMS platforms, and custom web applications—that bundle TinyMCE are potentially affected and require verification of their upstream dependency versions.
Exploitability
Exploitation requires authenticated access to the TinyMCE editor interface (PR:L per CVSS vector), meaning an attacker must already have user privileges or a compromised account. However, the user interaction requirement (UI:R) is limited to the attacker triggering content restoration, which is a low bar in many workflows. The attack vector is network-based (AV:N) with no complex prerequisites (AC:L), making it relatively straightforward to execute once inside. The stored nature of the payload means the attacker does not need to be present when the script executes—any user viewing the affected content becomes a victim. CVSS 8.7 (HIGH) reflects the combination of moderate access requirements, high confidentiality and integrity impact, and cross-site scope.
Remediation
Upgrade to TinyMCE 5.11.1, 7.9.3, or 8.5.1 depending on your current version branch. Administrators should assess which protected content may have been modified by unauthorized parties and consider re-validating or clearing such content if compromise is suspected. If immediate patching is not feasible, disable the protect option in TinyMCE configuration to prevent new payloads from being stored, though this may impact content workflow. Implement strong access controls and session management to reduce the likelihood of authenticated compromise. Monitor for unusual editor activity or content modifications.
Patch guidance
Apply the vendor patches as soon as feasible: upgrade to 5.11.1 for the 5.x branch, 7.9.3 for the 7.x branch, or 8.5.1 for the 8.x branch. Verify the patch version in your installed instance and in any bundled or third-party integrations. If TinyMCE is embedded in a plugin or framework, check the upstream maintainer's advisory for compatible versions and upgrade guidance. After patching, clear browser caches and invalidate user sessions to prevent stale JavaScript from executing. Test content restoration workflows in a staging environment to confirm the patch does not affect legitimate protected content handling.
Detection guidance
Search logs and audit trails for authenticated users accessing the editor to create or modify protected content, particularly outside normal business hours or from unusual locations. Look for mce:protected comment patterns containing suspicious JavaScript keywords (script, eval, fetch, XMLHttpRequest) in stored content or revision history. Monitor for stored procedures or database queries that insert or update protected content metadata. Implement content security policy (CSP) headers to limit the blast radius if injected scripts do execute. Use Web Application Firewalls (WAF) to flag requests containing mce:protected payloads with inline JavaScript, though this should complement, not replace, patching.
Why prioritize this
Despite the HIGH CVSS score, this vulnerability's practical impact depends on whether the protect feature is active and whether the attacker has authenticated access. However, stored XSS in a rich text editor affects entire document audiences, multiplying the impact per compromise. The vulnerability is not currently tracked in the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting limited in-the-wild exploitation at this time, but this should not lower priority for organizations heavily dependent on TinyMCE-based collaboration or content platforms. Prioritize patching if your users edit shared or sensitive content; deprioritize slightly if the protect feature is unused, but still patch to close a future attack vector.
Risk score, explained
The CVSS 8.7 (HIGH) score reflects: (1) network-based, unauthenticated-seeming attack (AV:N, AC:L), (2) moderate authentication barrier (PR:L) that is realistic in many organizations, (3) user interaction requirement (UI:R) that is low friction, (4) high impact to confidentiality and integrity (C:H, I:H) via script injection, and (5) cross-site scope (S:C) implying potential to affect other users or systems. Availability is not impacted (A:N). The score is justified for environments where TinyMCE is deployed in collaborative or customer-facing contexts; organizations with highly restricted editor access may perceive lower practical risk.
Frequently asked questions
If we don't use the protect option in TinyMCE, are we affected?
No, this specific vulnerability requires the protect option to be enabled. If your TinyMCE instances do not have protected content features configured, you are not exposed to this stored XSS flaw. However, you should still patch to prevent the feature from becoming a vector in the future if configuration changes occur.
Do we need to wipe existing protected content after patching?
Not necessarily. The patch prevents new malicious payloads from being injected and executed. Existing content that was created before compromise detection is unlikely to be malicious unless you have evidence of unauthorized modification. As a precaution, review audit logs and access controls for any suspicious editor activity in the weeks before patching.
Will this vulnerability affect TinyMCE used in an offline or air-gapped environment?
Exploitation still requires authenticated access to the editor, so even in air-gapped settings, an attacker must have legitimate or compromised credentials. However, the stored XSS payload, once injected, will persist and execute whenever content is restored, even on isolated systems. Patch regardless of network isolation.
Are older versions like 4.x affected?
The vendor advisory specifies fixes in 5.11.1, 7.9.3, and 8.5.1. Versions prior to 5.x are not explicitly mentioned in the patch guidance. If you are running 4.x, contact the vendor or check their security advisory for guidance on end-of-life support and mitigations.
This analysis is provided for informational purposes based on publicly available CVE data. CVSS scores are vendor-assigned and represent a general severity estimate; actual risk depends on your deployment, configuration, and threat model. Always verify patch compatibility and test in a non-production environment before deploying to production systems. SEC.co does not warrant the completeness or accuracy of this analysis and recommends consulting the official TinyMCE security advisory and your organization's vulnerability management process for authoritative guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-47759HIGHTinyMCE Stored XSS via data-mce-* Attributes (8.7 HIGH)
- CVE-2026-47760HIGHTinyMCE XSS Vulnerability (Versions 6.8.0–7.0.x)
- CVE-2026-47761HIGHTinyMCE Media Plugin Stored XSS Vulnerability – Patch & Detection Guide
- CVE-2025-11262HIGHLink Whisper Free Stored XSS Vulnerability – Analysis & Patch Guidance
- CVE-2025-14773HIGHABB T-MAC Plus XSS Vulnerability – HIGH Risk Assessment
- CVE-2025-15654HIGHFox-themes Prague Reflected XSS Vulnerability – CVSS 7.1 (HIGH)
- CVE-2025-52759HIGHReflected XSS in UnboundStudio Accordion FAQ Plugin (Versions ≤2.2.1)
- CVE-2025-67448HIGHNeterbit NW-431F Router SMS Stored XSS Vulnerability (CVSS 7.1)