Medium severity6.1OSV Advisory· Published Jan 3, 2024· Updated Jun 17, 2026
CVE-2024-21908
CVE-2024-21908
Description
TinyMCE versions before 5.9.0 are affected by a stored cross-site scripting vulnerability. An unauthenticated and remote attacker could insert crafted HTML into the editor resulting in arbitrary JavaScript execution in another user's browser.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tinymcenpm | < 5.9.0 | 5.9.0 |
TinyMCENuGet | < 5.9.0 | 5.9.0 |
tinymce/tinymcePackagist | < 5.9.0 | 5.9.0 |
Affected products
4- ghsa-coords3 versions
< 5.9.0+ 2 more
- (no CPE)range: < 5.9.0
- (no CPE)range: < 5.9.0
- (no CPE)range: < 5.9.0
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-5h9g-x5rv-25wgnvdExploitThird Party AdvisoryADVISORY
- github.com/tinymce/tinymce/security/advisories/GHSA-5h9g-x5rv-25wgnvdExploitThird Party AdvisoryWEB
- vulncheck.com/advisories/vc-advisory-GHSA-5h9g-x5rv-25wgnvdThird Party Advisory
- www.tiny.cloud/docs/release-notes/release-notes59/nvdRelease NotesWEB
News mentions
0No linked articles in our index yet.