tinymce is vulnerable to cross-site scripting (XSS). An attacker is able to inject and execute arbitrary Javascript in a user’s browser when the library is configured in classic editing mode. The stripping and sanitization logic of TinyMCE can be bypassed using nested and non-terminated HTML tags, which can allow an attacker to inject an `` tag with arbitrary src
and onerror
values.