VYPR
High severity8.7NVD Advisory· Published May 28, 2026· Updated May 28, 2026

CVE-2026-47759

CVE-2026-47759

Description

TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via unsanitized data-mce-* attributes (data-mce-href, data-mce-src, data-mce-style). Allows attackers to inject malicious values that override safe attributes during serialization, bypassing validation. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
tinymcenpm
>= 0
tinymcenpm
>= 6.0.0, < 7.9.37.9.3
tinymcenpm
>= 8.0.0, < 8.5.18.5.1
TinyMCENuGet
< 5.11.15.11.1
TinyMCENuGet
>= 6.0.0, < 7.9.37.9.3
TinyMCENuGet
>= 8.0.0, < 8.5.18.5.1
tinymce/tinymcePackagist
>= 0
tinymce/tinymcePackagist
>= 6.0.0, < 7.9.37.9.3
tinymce/tinymcePackagist
>= 8.0.0, < 8.5.18.5.1

Affected products

5

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.