Cross-site scripting vulnerability in TinyMCE
Description
TinyMCE versions before 5.9.0 are affected by a stored cross-site scripting vulnerability. An unauthenticated and remote attacker could insert crafted HTML into the editor resulting in arbitrary JavaScript execution in another user's browser.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
TinyMCE before 5.9.0 contains a stored XSS vulnerability via crafted HTML, allowing unauthenticated remote attackers to execute arbitrary JavaScript in other users' browsers.
Vulnerability
Overview
The vulnerability is a stored cross-site scripting (XSS) flaw in TinyMCE versions prior to 5.9.0. The root cause lies in the schema validation logic of the core parser. When a user inserts specially crafted HTML content into the editor — via clipboard paste or through editor APIs — the parser fails to properly validate the content after unwrapping invalid elements [3]. This allows malicious markup to persist within the editor's content.
Exploitation
Prerequisites
An attacker does not need authentication; the vulnerability can be exploited by an unauthenticated, remote attacker [description]. The attack vector involves inserting crafted HTML into the editor. If the editor's output is later published without server-side sanitization, the malicious content will be served to other users viewing that content [3]. The issue affects all installations using TinyMCE 5.8.2 or lower [3].
Impact
Successful exploitation results in arbitrary JavaScript execution in the context of another user's browser when they view the affected content. This can lead to data theft, session hijacking, or other client-side attacks. The impact is further amplified if the editor is used in a collaborative or content-sharing environment where many users access the same content [3].
Mitigation
The vulnerability is patched in TinyMCE 5.9.0. Users should upgrade to version 5.9.0 or later. For those unable to upgrade immediately, a workaround is available: manually sanitize content using the BeforeSetContent event to strip or escape malicious input before it is inserted into the editor [3]. The vendor advisory provides example code for this workaround [1][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tinymcenpm | < 5.9.0 | 5.9.0 |
TinyMCENuGet | < 5.9.0 | 5.9.0 |
tinymce/tinymcePackagist | < 5.9.0 | 5.9.0 |
Affected products
4- ghsa-coords3 versions
< 5.9.0+ 2 more
- (no CPE)range: < 5.9.0
- (no CPE)range: < 5.9.0
- (no CPE)range: < 5.9.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-5h9g-x5rv-25wgghsathird-party-advisoryADVISORY
- github.com/tinymce/tinymce/security/advisories/GHSA-5h9g-x5rv-25wgghsavendor-advisoryWEB
- vulncheck.com/advisories/vc-advisory-GHSA-5h9g-x5rv-25wgmitrethird-party-advisory
- www.tiny.cloud/docs/release-notes/release-notes59/ghsarelatedWEB
News mentions
0No linked articles in our index yet.