High severity8.7NVD Advisory· Published May 28, 2026· Updated May 28, 2026
CVE-2026-47759
CVE-2026-47759
Description
TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via unsanitized data-mce-* attributes (data-mce-href, data-mce-src, data-mce-style). Allows attackers to inject malicious values that override safe attributes during serialization, bypassing validation. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tinymcenpm | >= 0 | — |
tinymcenpm | >= 6.0.0, < 7.9.3 | 7.9.3 |
tinymcenpm | >= 8.0.0, < 8.5.1 | 8.5.1 |
TinyMCENuGet | < 5.11.1 | 5.11.1 |
TinyMCENuGet | >= 6.0.0, < 7.9.3 | 7.9.3 |
TinyMCENuGet | >= 8.0.0, < 8.5.1 | 8.5.1 |
tinymce/tinymcePackagist | >= 0 | — |
tinymce/tinymcePackagist | >= 6.0.0, < 7.9.3 | 7.9.3 |
tinymce/tinymcePackagist | >= 8.0.0, < 8.5.1 | 8.5.1 |
Affected products
5- ghsa-coords3 versions
>= 0+ 2 more
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: < 5.11.1
Patches
Vulnerability mechanics
References
5- github.com/tinymce/tinymce/security/advisories/GHSA-q742-qvgc-gc2fnvdPatchVendor AdvisoryWEB
- github.com/advisories/GHSA-q742-qvgc-gc2fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-47759ghsaADVISORY
- www.tiny.cloud/docs/tinymce/7/7.9.3-release-notes/nvdRelease NotesWEB
- www.tiny.cloud/docs/tinymce/8/8.5.1-release-notes/nvdRelease NotesWEB
News mentions
0No linked articles in our index yet.