EXECUTIVE SUMMARY:
Four vulnerabilities have been uncovered in TinyMCE, the widely deployed open-source rich text editor, across npm, NuGet, and Composer packages. The flaws are stored cross-site scripting (XSS) weaknesses that can be triggered via malicious media plugin attributes, forged mce:protected comments, unsafe data-mce-prefixed attributes, or nested SVG payloads. Exploitation enables attackers to execute arbitrary JavaScript in the context of end users, potentially leading to credential theft, session hijacking, and unauthorized content manipulation, posing significant operational and reputational risk.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Four vulnerabilities have been uncovered in TinyMCE, the widely deployed open-source rich text editor, across npm, NuGet, and Composer packages. The flaws are stored cross-site scripting (XSS) weaknesses that can be triggered via malicious media plugin attributes, forged mce:protected comments, unsafe data-mce-prefixed attributes, or nested SVG payloads. Exploitation enables attackers to execute arbitrary JavaScript in the context of end users, potentially leading to credential theft, session hijacking, and unauthorized content manipulation, posing significant operational and reputational risk.[emaillocker id="1283"]
CVE-2026-47761 with a CVSS score of 8.7 – A stored XSS vulnerability in TinyMCE’s media plugin permits injection of malicious scripts through crafted data‑mce‑object attributes; an attacker needs only network access and low‑privilege interaction to embed the payload.
CVE-2026-47762 with a CVSS score of 8.7 – This flaw allows forged mce:protected comments to bypass sanitization and execute scripts when content is restored, requiring minimal attacker skill and user interaction.
CVE-2026-47759 with a CVSS score of 8.7 – Unsanitized data‑mce‑href, data‑mce‑src, and data‑mce‑style attributes enable stored XSS, letting an attacker inject malicious values that override safe attributes during serialization.
CVE-2026-47760 with a CVSS score of 8.7 – Improper SVG namespace handling in the sanitizer allows nested <svg> elements to bypass attribute checks and run arbitrary JavaScript, exploitable with low complexity over the network.
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-vg35-5wq7-3x7w
https://github.com/advisories/GHSA-v98h-vmpc-fpqv
https://github.com/advisories/GHSA-q742-qvgc-gc2f
https://github.com/advisories/GHSA-mh5m-5hw4-5c69
[/emaillocker]