tinymce is vulnerable to cross-site scripting (XSS). The attack exists because it does not prevent the attacker from injecting a malicious script into the editor via the clipboard or APIs, allowing to execute the script when a user loads the editor.
github.com/advisories/GHSA-27gm-ghr9-4v95
github.com/tinymce/tinymce/commit/3d7e41401bb2dede70189cc60e4517d2aef537b4
github.com/tinymce/tinymce/commit/67e52b815cf575498cab127dbf7f1899216d819f
github.com/tinymce/tinymce/security/advisories/GHSA-27gm-ghr9-4v95
www.tiny.cloud/docs/release-notes/release-notes514/#securityfixes