PT-2026-44388

Name of the Vulnerable Software and Affected Versions TinyMCE versions prior to 5.11.1 TinyMCE versions prior to 7.9.3 TinyMCE versions prior to 8.5.1 Description A stored Cross-Site Scripting XSS issue exists due to unsanitized data-mce- attributes, specifically data-mce-href, data-mce-src, and...

DRUPAL-CONTRIB-2025-084

Project Paragraphs table provides a field for a collection table. The module doesn't sufficiently sanitise certain data attributes allowing Cross Site Scripting XSS attacks. This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing...

DRUPAL-CONTRIB-2025-077

This module enables you to generate Table of content of your pages given a configuration. The module doesn't sufficiently sanitise data attributes allowing persistent Cross-site Scripting XSS attacks. This vulnerability is mitigated by the fact that an attacker must have a role with permission to...

Colorbox - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-041

Colorbox is a module that allows Images, and iframed or inline content to be displayed in a modal above the current page. The Colorbox module doesn't sufficiently sanitize data attributes before opening modals. This vulnerability is mitigated by the fact that an attacker must have a role with...

GHSA-5P28-63MC-CGR9 Cross-Site Scripting bypass in html-purify

All versions of html-purify are vulnerable to cross-site scripting. The data attribute inside of object tags is not properly sanitized and allows javascript URIs leading to code execution. No fix is currently available. Consider using an alternative package until a fix is made available...