Moderate severityOSV Advisory· Published Jan 3, 2024· Updated Nov 28, 2025
Cross-site scripting vulnerability in TinyMCE plugins
CVE-2024-21910
Description
TinyMCE versions before 5.10.0 are affected by a cross-site scripting vulnerability. A remote and unauthenticated attacker could introduce crafted image or link URLs that would result in the execution of arbitrary JavaScript in an editing user's browser.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tinymcenpm | < 5.10.0 | 5.10.0 |
tinymce/tinymcePackagist | < 5.10.0 | 5.10.0 |
TinyMCENuGet | < 5.10.0 | 5.10.0 |
django-tinymcePyPI | < 3.4.0 | 3.4.0 |
Affected products
5- Range: 2.0.0, 2.0.1, 2.0.2, …
- ghsa-coords4 versions
< 5.10.0+ 3 more
- (no CPE)range: < 5.10.0
- (no CPE)range: < 5.10.0
- (no CPE)range: < 5.10.0
- (no CPE)range: < 3.4.0
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-r8hm-w5f7-wj39ghsathird-party-advisoryADVISORY
- github.com/tinymce/tinymce/security/advisories/GHSA-r8hm-w5f7-wj39ghsavendor-advisoryWEB
- vulncheck.com/advisories/vc-advisory-GHSA-r8hm-w5f7-wj39mitrethird-party-advisory
- github.com/jazzband/django-tinymce/issues/366ghsaissue-trackingWEB
- github.com/jazzband/django-tinymce/releases/tag/3.4.0ghsarelatedWEB
- pypi.org/project/django-tinymce/3.4.0ghsaWEB
- pypi.org/project/django-tinymce/3.4.0/mitrerelated
News mentions
0No linked articles in our index yet.