16 matches found
CVE-2024-29881
TinyMCE is affected by an XSS vulnerability (CVE-2024-29881) in its handling of external SVG content loaded via object/embed during content loading/insertion. The root cause is improper validation of user-supplied input via SVGs, allowing a payload to execute in the context of the hosting site. T...
CVE-2022-23494
Summary (CVE-2022-23494): TinyMCE (open source rich text editor) suffers a cross-site scripting (XSS) vulnerability in alert/confirm dialogs when provided with malicious HTML, potentially allowing arbitrary JavaScript execution in the current user’s browser. Affected versions clock to TinyMCE 5.x...
CVE-2020-17480
The CVE-2020-17480 issue affects TinyMCE prior to 4.9.7 and 5.x prior to 5.1.4, where cross-site scripting can be triggered by inserting content via clipboard or editor APIs in the core parser, paste plugin, and visualchars plugin. The vulnerability arises from improper input validation and can b...
CVE-2023-48219
Summary of CVE-2023-48219 (TinyMCE): A mutation XSS (mXSS) flaw in TinyMCE’s core undo/redo and related APIs/plugins arises from text nodes in certain parents not being escaped during serialization per HTML standards. If a text node contains a special internal marker, it can combine with other HT...
CVE-2020-12648
CVE-2020-12648 describes an XSS vulnerability in TinyMCE 5.2.1 and earlier, exploitable when configured in classic editing mode. The provided connected documents corroborate that TinyMCE’s classic editor mode allows remote attackers to inject arbitrary web scripts, but do not provide details on a...
CVE-2024-21908
CVE-2024-21908 (TinyMCE) : Affected software versions are TinyMCE before 5.9.0. The issue is a stored cross-site scripting vulnerability where an unauthenticated, remote attacker can insert crafted HTML into the editor, leading to arbitrary JavaScript execution in another user’s browser. Root cau...
CVE-2023-45818
Concrete details confirm CVE-2023-45818 affects TinyMCE undo/redo logic, where HTML is mutated by a combination of string trimming and reparative parsing when restoring from the undo stack, enabling XSS. The issue also affects related APIs/plugins (tinymce.Editor.getContent({ format: 'raw' }), re...
CVE-2024-21910
CVE-2024-21910 affects TinyMCE plugins with versions before 5.10.0. The issue is a cross-site scripting vulnerability: a remote, unauthenticated attacker can craft image or link URLs that cause execution of arbitrary JavaScript in an editing user’s browser. The description in connected sources co...
CVE-2024-21911
TinyMCE versions before 5.6.0 are affected by a stored cross-site scripting vulnerability. An unauthenticated, remote attacker could insert crafted HTML into the editor, leading to arbitrary JavaScript execution in another user’s browser. The CVE entry lists a base score of 6.1 (Medium). Remediat...
CVE-2024-29203
TinyMCE contains a cross-site scripting (XSS) vulnerability in its content insertion code that can allow iframe elements to execute malicious scripts. The issue is mitigated by upgrading to TinyMCE v6.8.1 or newer; multiple advisories also note that patches and later versions (e.g., 7.0.0+) addre...
CVE-2019-1010091
CVE-2019-1010091 affects TinyMCE 4.7.11/4.7.12 (Media element). The root cause is improper input neutralization (CWE-79) in the media element, enabling JavaScript execution when a user pastes malicious content into the media element embed tab. Impact is client-side code execution with low attack ...
CVE-2023-45819
CVE-2023-45819 is a cross-site scripting vulnerability in TinyMCE’s Notification Manager API. An attacker could trigger arbitrary JavaScript execution by injecting unfiltered HTML into a notification text displayed in the TinyMCE UI for the current user, requiring crafted content and a notificati...
CVE-2026-47761
Summary: CVE-2026-47761 is a stored XSS vulnerability in TinyMCE’s media plugin, triggered by crafted data-mce-* attributes during content rendering. Affected software: TinyMCE (open source rich text editor); affected version range prior to 5.11.1, 7.9.3, and 8.5.1. Root cause/Vector: Media plugi...
CVE-2026-47759
TinyMCE contains a stored XSS vulnerability in data-mce-* attributes (data-mce-href, data-mce-src, data-mce-style) that can bypass validation during serialization. Affected versions are prior to 5.11.1, 7.9.3, and 8.5.1. The underlying issue is unsanitized data-mce-* attributes allowing attackers...
CVE-2026-47762
CVE-2026-47762 affects TinyMCE, a widely used open source rich text editor. The flaw is a stored XSS via forged mce:protected comments present before version 5.11.1, 7.9.3, and 8.5.1. An attacker could bypass sanitization and insert scripts that execute when content is restored, impacting users w...
CVE-2026-47760
CVE-2026-47760 affects TinyMCE before 7.1.0, where an XSS flaw arises from improper SVG namespace scope handling in the sanitizer. The issue allows a crafted payload using nested SVG elements to bypass attribute sanitization and execute arbitrary JavaScript. Affected versions are 6.8.0 up to, but...