TinyMCE Cross-Site Scripting (XSS) vulnerability through `mce:protected` comments

Impact Stored XSS vulnerability via forged mce:protected comments. Allows attackers to bypass sanitization and inject scripts that execute when content is restored. Impacts users who utilize the protect option. Patches Patched by validating decoded mce:protected content against configured protect...

EUVD-2026-32921

TinyMCE Cross-Site Scripting XSS vulnerability using through data-mce- prefixed src, href, style attributes...

17fe-ui23 (>=0.0.0 <=0.0.24), @2kog/pkg-editor (>=0.0.1 <=0.1.3) +583 more potentially affected by CVE-2026-47759 via tinymce (>=6.0.0 <=7.5.1)

tinymce NPM version =6.0.0, =0.0.0, =0.0.1, =12.1.0, =4.1.0, =1.0.0-beta.1, =4.1.2-rc, =1.0.0, =0.1.0, =0.1.19, =0.1.0, =0.1.1 and more Source cves: CVE-2026-47759 Source advisory: OSV:GHSA-Q742-QVGC-GC2F...

bsign-ui (>=0.0.3 <=0.0.5), gc-nimbus-ui (>=3.0.0 <=3.0.12) potentially affected by CVE-2026-47759 via tinymce (>=8.0.2 <=8.2.2)

tinymce NPM version =8.0.2, =0.0.3, =3.0.0, =3.0.12 Source cves: CVE-2026-47759 Source advisory: OSV:GHSA-Q742-QVGC-GC2F...

GHSA-Q742-QVGC-GC2F TinyMCE Cross-Site Scripting (XSS) vulnerability using through data-mce- prefixed src, href, style attributes

Impact Stored XSS vulnerability via unsanitized data-mce- attributes data-mce-href, data-mce-src, data-mce-style. Allows attackers to inject malicious values that override safe attributes during serialization, bypassing validation. Patches Patched by stripping unsafe data-mce- attributes during...

TinyMCE Cross-Site Scripting (XSS) vulnerability using through data-mce- prefixed src, href, style attributes

Impact Stored XSS vulnerability via unsanitized data-mce- attributes data-mce-href, data-mce-src, data-mce-style. Allows attackers to inject malicious values that override safe attributes during serialization, bypassing validation. Patches Patched by stripping unsafe data-mce- attributes during...

EUVD-2026-32920

TinyMCE Cross-Site Scripting XSS vulnerability using sanitization bypass through nested SVGs...

17fe-ui23 (>=0.0.0 <=0.0.24), @2kog/pkg-editor (>=0.0.1 <=0.1.3) +553 more potentially affected by CVE-2026-47760 via tinymce (>=6.8.1 <=7.0.1)

tinymce NPM version =6.8.1, =0.0.0, =0.0.1, =12.1.0, =4.1.0, =1.0.0-beta.1, =4.1.2-rc, =1.0.0, =0.1.0, =0.1.0, =0.1.1, =0.1.7 - @arkxos/arkos-example =0.1.0 and more Source cves: CVE-2026-47760 Source advisory: OSV:GHSA-MH5M-5HW4-5C69...

GHSA-MH5M-5HW4-5C69 TinyMCE Cross-Site Scripting (XSS) vulnerability using sanitization bypass through nested SVGs

Impact TinyMCE 6.8.x contains an XSS vulnerability caused by improper SVG namespace scope handling in the sanitizer. A crafted payload using nested elements can bypass attribute sanitization and execute arbitrary JavaScript. Patches This issue affects TinyMCE 6.8.x-7.0.x. The vulnerability is fix...

TinyMCE Cross-Site Scripting (XSS) vulnerability using sanitization bypass through nested SVGs

Impact TinyMCE 6.8.x contains an XSS vulnerability caused by improper SVG namespace scope handling in the sanitizer. A crafted payload using nested elements can bypass attribute sanitization and execute arbitrary JavaScript. Patches This issue affects TinyMCE 6.8.x-7.0.x. The vulnerability is fix...

CVE-2026-38526

An authenticated arbitrary file upload vulnerability in the /admin/tinymce/upload endpoint of Webkul Krayin CRM v2.2.x allows attackers to execute arbitrary code via uploading a crafted PHP file...

Cross-site Scripting

TinyMCE is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper SVG namespace scope handling in the sanitizer, where crafted nested SVG elements can bypass attribute sanitization and execute arbitrary JavaScript, resulting in cross-site scripting attacks...

Stored Cross-Site Scripting

TinyMCE is vulnerable to Stored Cross-Site Scripting XSS. The vulnerability is due to insufficient sanitization of data-mce- attributes such as data-mce-href, data-mce-src, and data-mce-style, allowing attackers to inject malicious values that override validated attributes during content...

Linux Distros Unpatched Vulnerability : CVE-2026-47759

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via unsanitized data-mce- attributes...

Linux Distros Unpatched Vulnerability : CVE-2026-47761

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability in the media plugin. Attackers can inject...

Linux Distros Unpatched Vulnerability : CVE-2026-47762

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via forged mce:protected comments. Allows...

Stored Cross-Site Scripting (XSS)

TinyMCE is vulnerable to Stored Cross-Site Scripting XSS. The vulnerability is due to improper sanitization of forged mce:protected comments, which allows an attacker to bypass content sanitization and inject malicious scripts that execute when the protected content is restored...

Linux Distros Unpatched Vulnerability : CVE-2026-47760

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - TinyMCE is an open source rich text editor. From 6.8.0 to before 7.1.0, TinyMCE contains an XSS vulnerability caused by improper SVG namespace scope handling in...

Cross-site Scripting (XSS)

Overview tinymce is a web-based JavaScript HTML WYSIWYG editor control. Affected versions of this package are vulnerable to Cross-site Scripting XSS via improper handling of SVG namespace scope by the sanitizer. An attacker can execute arbitrary JavaScript by crafting a payload with nested SVG...

org.webjars.npm:tinymce__tinymce-vue (>=5.1.0 <=5.1.1), org.wicketstuff:wicketstuff-tinymce6 (>=10.0.0 <=10.9.2) potentially affected by CVE-2026-47760 via org.webjars.npm:tinymce (>=6.8.3 <=6.8.6)

org.webjars.npm:tinymce MAVEN version =6.8.3, =5.1.0, =10.0.0, =10.9.2 Source cves: CVE-2026-47760 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-17056160...