Cross-site scripting vulnerability in TinyMCE plugins
Description
TinyMCE versions before 5.10.0 are affected by a cross-site scripting vulnerability. A remote and unauthenticated attacker could introduce crafted image or link URLs that would result in the execution of arbitrary JavaScript in an editing user's browser.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
TinyMCE versions before 5.10.0 contain a stored XSS vulnerability in image and link URL processing that allows unauthenticated attackers to execute arbitrary JavaScript when an editor user updates a crafted URL.
Vulnerability
Details
TinyMCE versions before 5.10.0 are affected by a cross-site scripting (XSS) vulnerability in the image and link plugins. The flaw exists in the URL processing logic: when an editor user updates an image or link that contains a specially crafted URL, the editor fails to properly sanitize the input, allowing arbitrary JavaScript execution within the editing context [4]. The vulnerability does not require any authentication, so a remote attacker can inject malicious URLs without needing prior access [1][2].
Exploitation
Prerequisites
An attacker can exploit this by supplying malicious image or link URLs to an editor user. The user must be actively editing content (e.g., pasting a link or updating an image) for the JavaScript payload to execute. The dangerous URLs are only executed during editing; extracted content does not carry the payload, which limits the impact to the editor interface itself [4].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the editing user's browser. This could lead to theft of session tokens, manipulation of editor content, or other actions performed with the victim's privileges in the application hosting TinyMCE [1][4].
Mitigation
The vulnerability has been patched in TinyMCE version 5.10.0, which improves sanitization logic when updating URLs in the affected plugins [4]. Users are advised to upgrade to TinyMCE 5.10.0 or later. As a workaround, the image and link plugins can be disabled if immediate upgrade is not possible [4]. The django-tinymce project also released version 3.4.0 incorporating the fix [2][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tinymcenpm | < 5.10.0 | 5.10.0 |
tinymce/tinymcePackagist | < 5.10.0 | 5.10.0 |
TinyMCENuGet | < 5.10.0 | 5.10.0 |
django-tinymcePyPI | < 3.4.0 | 3.4.0 |
Affected products
5- Range: 2.0.0, 2.0.1, 2.0.2, …
- ghsa-coords4 versions
< 5.10.0+ 3 more
- (no CPE)range: < 5.10.0
- (no CPE)range: < 5.10.0
- (no CPE)range: < 5.10.0
- (no CPE)range: < 3.4.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-r8hm-w5f7-wj39ghsathird-party-advisoryADVISORY
- github.com/tinymce/tinymce/security/advisories/GHSA-r8hm-w5f7-wj39ghsavendor-advisoryWEB
- vulncheck.com/advisories/vc-advisory-GHSA-r8hm-w5f7-wj39mitrethird-party-advisory
- github.com/jazzband/django-tinymce/issues/366ghsaissue-trackingWEB
- github.com/jazzband/django-tinymce/releases/tag/3.4.0ghsarelatedWEB
- pypi.org/project/django-tinymce/3.4.0ghsaWEB
- pypi.org/project/django-tinymce/3.4.0/mitrerelated
News mentions
0No linked articles in our index yet.