High severity8.7NVD Advisory· Published May 28, 2026· Updated May 28, 2026
CVE-2026-47760
CVE-2026-47760
Description
TinyMCE is an open source rich text editor. From 6.8.0 to before 7.1.0, TinyMCE contains an XSS vulnerability caused by improper SVG namespace scope handling in the sanitizer. A crafted payload using nested elements can bypass attribute sanitization and execute arbitrary JavaScript. This vulnerability is fixed in 7.1.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tinymcenpm | >= 6.8.0, < 7.1.0 | 7.1.0 |
TinyMCENuGet | >= 6.8.0, < 7.1.0 | 7.1.0 |
tinymce/tinymcePackagist | >= 6.8.0, < 7.1.0 | 7.1.0 |
Affected products
2Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-mh5m-5hw4-5c69ghsaADVISORY
- github.com/tinymce/tinymce/security/advisories/GHSA-mh5m-5hw4-5c69nvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-47760ghsaADVISORY
News mentions
0No linked articles in our index yet.