High severity8.7NVD Advisory· Published May 28, 2026· Updated May 28, 2026

CVE-2026-47760

Description

TinyMCE is an open source rich text editor. From 6.8.0 to before 7.1.0, TinyMCE contains an XSS vulnerability caused by improper SVG namespace scope handling in the sanitizer. A crafted payload using nested elements can bypass attribute sanitization and execute arbitrary JavaScript. This vulnerability is fixed in 7.1.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

TinyMCE 6.8.x to 7.0.x contains an XSS vulnerability via nested SVG elements bypassing sanitization, fixed in 7.1.0.

Vulnerability

TinyMCE versions 6.8.0 through 7.0.x are affected by a cross-site scripting (XSS) vulnerability caused by improper SVG namespace scope handling in the HTML sanitizer. A crafted payload using nested `` elements can bypass attribute sanitization, allowing arbitrary JavaScript execution. The issue is present in the sanitizer logic that fails to correctly manage namespace scoping when processing nested SVG elements [1].

Exploitation

An attacker can exploit this vulnerability by injecting a specially crafted payload containing nested SVG elements into content processed by TinyMCE. The payload bypasses the sanitizer's attribute filtering, leading to execution of arbitrary JavaScript. The attack requires the victim to view or edit content that includes the malicious payload, such as through a stored XSS scenario where the editor renders user-supplied content [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the TinyMCE editor. This can lead to data theft, session hijacking, defacement, or other malicious actions depending on the application's use of the editor. The impact is limited to the scope of the editor's integration, but can be severe if the editor is used in sensitive contexts [1].

Mitigation

The vulnerability is fixed in TinyMCE version 7.1.0, released on an unspecified date. Users should upgrade to 7.1.0 or later. No official workaround is available. The issue is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].

References

TinyMCE Cross-Site Scripting (XSS) vulnerability using sanitization bypass through nested SVGs

AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Tinymce/Tinymceinferred2 versions
>=6.8.0,<7.1.0+ 1 more
- (no CPE)range: >=6.8.0,<7.1.0
- (no CPE)range: >=6.8.0, <7.1.0

Patches

78140c0d6e78

TINY-10628: Merge changelog entries (#9626)

https://github.com/tinymce/tinymcetiny-ben-tranMay 8, 2024Fixed in 7.1.0via release-tag

commit

26 files changed · +63 −149

.changes/tinymce/7.1.0.md+31 −0 added

@@ -0,0 +1,31 @@
+## 7.1.0 - 2024-05-08
+
+### Added
+- Added parser support for math elements. #TINY-10809
+- New `math-equation` icon. #TINY-10804
+
+### Improved
+- Included `itemprop`, `itemscope` and `itemtype` as valid HTML5 attributes in the core schema. #TINY-9932
+- Notification accessibility improvements: added tooltips, keyboard navigation and shortcut to focus on notificatons. #TINY-6925
+- Removed `aria-pressed` from the `More` button in sliding toolbar mode and replaced it with `aria-expanded`. #TINY-10795
+- The editor UI now renders correctly in Windows High Contrast Mode. #TINY-10781
+
+### Fixed
+- Backspacing in certain html setups resulted in data moving around unexpectedly. #TINY-10590
+- Dialog title markup changed to use an `h1` element instead of `div`. #TINY-10800
+- Dialog title was not announced in macOS VoiceOver, dialogs now use `aria-label` instead of `aria-labelledby` on macOS. #TINY-10808
+- Theme loader did not respect the suffix when it was loading skin CSS files. #TINY-10602
+- Custom block elements with colon characters would throw errors. #TINY-10813
+- Tab navigation in views didn't work. #TINY-10780
+- Video and audio elements could not be played on Safari. #TINY-10774
+- `ToggleToolbarDrawer` command did not toggle the toolbar in `sliding` mode when `{skipFocus: true}` parameter was passed. #TINY-10726
+- The buttons in the custom view header were clipped on when overflowing. #TINY-10741
+- In the custom view, the scrollbar of the container was not visible if its height was greater than the editor. #TINY-10741
+- Fixed accessibility issue by removing duplicate `role="menu"` attribute from color swatches. #TINY-10806
+- Fullscreen mode now prevents focus from leaving the editor. #TINY-10597
+- Open link context menu action did not work with selection surrounding a link. #TINY-10391
+- Styles were not retained when toggling a list on and off. #TINY-10837
+- Caret and placeholder text were invisible in Windows High Contrast Mode. #TINY-9811
+- Firefox did not announce the iframe title when `iframe_aria_text` was set. #TINY-10718
+- Notification width was not constrained to the width of the editor. #TINY-10886
+- Open link context menu action was not enabled for links on images. #TINY-10391

.changes/unreleased/tinymce-TINY-10391-2024-04-17.yaml+0 −6 removed

@@ -1,6 +0,0 @@
-project: tinymce
-kind: Fixed
-body: Open link context menu action did not work with selection surrounding a link.
-time: 2024-04-17T13:41:21.980893+09:30
-custom:
-  Issue: TINY-10391

.changes/unreleased/tinymce-TINY-10391-2024-04-26.yaml+0 −6 removed

@@ -1,6 +0,0 @@
-project: tinymce
-kind: Fixed
-body: Open link context menu action was not enabled for links on images.
-time: 2024-04-26T17:26:20.867461+09:30
-custom:
-  Issue: TINY-10391

.changes/unreleased/tinymce-TINY-10590-2024-03-06.yaml+0 −6 removed

@@ -1,6 +0,0 @@
-project: tinymce
-kind: Fixed
-body: Backspacing in certain html setups resulted in data moving around unexpectedly.
-time: 2024-03-06T16:07:38.830652013+01:00
-custom:
-  Issue: TINY-10590

.changes/unreleased/tinymce-TINY-10597-2024-04-14.yaml+0 −6 removed

@@ -1,6 +0,0 @@
-project: tinymce
-kind: Fixed
-body: Fullscreen mode now prevents focus from leaving the editor.
-time: 2024-04-14T21:23:35.919442+08:00
-custom:
-  Issue: TINY-10597

.changes/unreleased/tinymce-TINY-10602-2024-04-04.yaml+0 −6 removed

@@ -1,6 +0,0 @@
-project: tinymce
-kind: Fixed
-body: Theme loader did not respect the suffix when it was loading skin CSS files.
-time: 2024-04-04T16:35:26.405336+11:00
-custom:
-  Issue: TINY-10602

.changes/unreleased/tinymce-TINY-10718-2024-04-19.yaml+0 −6 removed

@@ -1,6 +0,0 @@
-project: tinymce
-kind: Fixed
-body: Firefox did not announce the iframe title when `iframe_aria_text` was set.
-time: 2024-04-19T22:50:45.839561+08:00
-custom:
-  Issue: TINY-10718

.changes/unreleased/tinymce-TINY-10726-2024-04-09.yaml+0 −7 removed

@@ -1,7 +0,0 @@
-project: tinymce
-kind: Fixed
-body: '`ToggleToolbarDrawer` command did not toggle the toolbar in `sliding` mode
-  when `{skipFocus: true}` parameter was passed.'
-time: 2024-04-09T23:36:48.55386+03:00
-custom:
-  Issue: TINY-10726

.changes/unreleased/tinymce-TINY-10741-2024-04-12-1.yaml+0 −6 removed

@@ -1,6 +0,0 @@
-project: tinymce
-kind: Fixed
-body: The buttons in the custom view header were clipped on when overflowing.
-time: 2024-04-12T10:55:52.601575+09:30
-custom:
-  Issue: TINY-10741

.changes/unreleased/tinymce-TINY-10741-2024-04-12.yaml+0 −6 removed

@@ -1,6 +0,0 @@
-project: tinymce
-kind: Fixed
-body: In the custom view, the scrollbar of the container was not visible if its height was greater than the editor.
-time: 2024-04-12T10:57:35.127892+09:30
-custom:
-  Issue: TINY-10741

.changes/unreleased/tinymce-TINY-10774-2024-04-08.yaml+0 −6 removed

@@ -1,6 +0,0 @@
-project: tinymce
-kind: Fixed
-body: Video and audio elements could not be played on Safari.
-time: 2024-04-08T15:06:01.494664+02:00
-custom:
-  Issue: TINY-10774

.changes/unreleased/tinymce-TINY-10780-2024-04-08.yaml+0 −6 removed

@@ -1,6 +0,0 @@
-project: tinymce
-kind: Fixed
-body: Tab navigation in views didn't work.
-time: 2024-04-08T12:53:40.468313658+02:00
-custom:
-  Issue: TINY-10780

.changes/unreleased/tinymce-TINY-10781-2024-04-22.yaml+0 −6 removed

@@ -1,6 +0,0 @@
-project: tinymce
-kind: Improved
-body: The editor UI now renders correctly in Windows High Contrast Mode.
-time: 2024-04-22T22:21:18.646603+10:00
-custom:
-  Issue: TINY-10781

.changes/unreleased/tinymce-TINY-10795-2024-04-19.yaml+0 −7 removed

@@ -1,7 +0,0 @@
-project: tinymce
-kind: Improved
-body: Removed `aria-pressed` from the `More` button in sliding toolbar mode
-  and replaced it with `aria-expanded`.
-time: 2024-04-19T09:25:18.652068+08:00
-custom:
-  Issue: TINY-10795

.changes/unreleased/tinymce-TINY-10800-2024-04-02.yaml+0 −6 removed

@@ -1,6 +0,0 @@
-project: tinymce
-kind: Fixed
-body: Dialog title markup changed to use an `h1` element instead of `div`.
-time: 2024-04-02T21:41:45.987934+08:00
-custom:
-  Issue: TINY-10800

.changes/unreleased/tinymce-TINY-10804-2024-04-16.yaml+0 −6 removed

@@ -1,6 +0,0 @@
-project: tinymce
-kind: Added
-body: New `math-equation` icon.
-time: 2024-04-16T15:40:11.225509035+02:00
-custom:
-  Issue: TINY-10804

.changes/unreleased/tinymce-TINY-10806-2024-04-12.yaml+0 −7 removed

@@ -1,7 +0,0 @@
-project: tinymce
-kind: Fixed
-body: Fixed accessibility issue by removing duplicate `role="menu"` attribute from
-  color swatches.
-time: 2024-04-12T10:36:16.480977+03:00
-custom:
-  Issue: TINY-10806

.changes/unreleased/tinymce-TINY-10808-2024-04-02.yaml+0 −7 removed

@@ -1,7 +0,0 @@
-project: tinymce
-kind: Fixed
-body: Dialog title was not announced in macOS VoiceOver, dialogs now use `aria-label`
- instead of `aria-labelledby` on macOS.
-time: 2024-04-02T21:42:19.730734+08:00
-custom:
-  Issue: TINY-10808

.changes/unreleased/tinymce-TINY-10809-2024-04-08.yaml+0 −6 removed

@@ -1,6 +0,0 @@
-project: tinymce
-kind: Added
-body: Added parser support for math elements.
-time: 2024-04-08T12:51:40.499266+02:00
-custom:
-  Issue: TINY-10809

.changes/unreleased/tinymce-TINY-10813-2024-04-04.yaml+0 −6 removed

@@ -1,6 +0,0 @@
-project: tinymce
-kind: Fixed
-body: Custom block elements with colon characters would throw errors.
-time: 2024-04-04T10:21:20.297165+02:00
-custom:
-  Issue: TINY-10813

.changes/unreleased/tinymce-TINY-10837-2024-04-18.yaml+0 −6 removed

@@ -1,6 +0,0 @@
-project: tinymce
-kind: Fixed
-body: Styles were not retained when toggling a list on and off.
-time: 2024-04-18T10:57:01.817028+02:00
-custom:
-  Issue: TINY-10837

.changes/unreleased/tinymce-TINY-10886-2024-04-25.yaml+0 −6 removed

@@ -1,6 +0,0 @@
-project: tinymce
-kind: Fixed
-body: Notification width was not constrained to the width of the editor.
-time: 2024-04-25T08:40:24.984951+02:00
-custom:
-  Issue: TINY-10886

.changes/unreleased/tinymce-TINY-6925-2024-04-18.yaml+0 −7 removed

@@ -1,7 +0,0 @@
-project: tinymce
-kind: Improved
-body: 'Notification accessibility improvements: added tooltips, keyboard navigation
-  and shortcut to focus on notificatons.'
-time: 2024-04-18T10:05:30.586268+08:00
-custom:
-  Issue: TINY-6925

.changes/unreleased/tinymce-TINY-9811-2024-04-19.yaml+0 −6 removed

@@ -1,6 +0,0 @@
-project: tinymce
-kind: Fixed
-body: Caret and placeholder text were invisible in Windows High Contrast Mode.
-time: 2024-04-19T15:46:47.295442+10:00
-custom:
-  Issue: TINY-9811

.changes/unreleased/tinymce-TINY-9932-2024-03-06.yaml+0 −6 removed

@@ -1,6 +0,0 @@
-project: tinymce
-kind: Improved
-body: Included `itemprop`, `itemscope` and `itemtype` as valid HTML5 attributes in the core schema.
-time: 2024-03-06T15:55:10.739553+11:00
-custom:
-  Issue: TINY-9932

modules/tinymce/CHANGELOG.md+32 −0 modified

@@ -5,6 +5,38 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html),
 and is generated by [Changie](https://github.com/miniscruff/changie).
 
+## 7.1.0 - 2024-05-08
+
+### Added
+- Parser support for math elements. #TINY-10809
+- New `math-equation` icon. #TINY-10804
+
+### Improved
+- Included `itemprop`, `itemscope` and `itemtype` as valid HTML5 attributes in the core schema. #TINY-9932
+- Notification accessibility improvements: added tooltips, keyboard navigation and shortcut to focus on notifications. #TINY-6925
+- Removed `aria-pressed` from the `More` button in sliding toolbar mode and replaced it with `aria-expanded`. #TINY-10795
+- The editor UI now renders correctly in Windows High Contrast Mode. #TINY-10781
+
+### Fixed
+- Backspacing in certain html setups resulted in data moving around unexpectedly. #TINY-10590
+- Dialog title markup changed to use an `h1` element instead of `div`. #TINY-10800
+- Dialog title was not announced in macOS VoiceOver, dialogs now use `aria-label` instead of `aria-labelledby` on macOS. #TINY-10808
+- Theme loader did not respect the suffix when it was loading skin CSS files. #TINY-10602
+- Custom block elements with colon characters would throw errors. #TINY-10813
+- Tab navigation in views didn't work. #TINY-10780
+- Video and audio elements could not be played on Safari. #TINY-10774
+- `ToggleToolbarDrawer` command did not toggle the toolbar in `sliding` mode when `{skipFocus: true}` parameter was passed. #TINY-10726
+- The buttons in the custom view header were clipped on when overflowing. #TINY-10741
+- In the custom view, the scrollbar of the container was not visible if its height was greater than the editor. #TINY-10741
+- Fixed accessibility issue by removing duplicate `role="menu"` attribute from color swatches. #TINY-10806
+- Fullscreen mode now prevents focus from leaving the editor. #TINY-10597
+- Open link context menu action did not work with selection surrounding a link. #TINY-10391
+- Styles were not retained when toggling a list on and off. #TINY-10837
+- Caret and placeholder text were invisible in Windows High Contrast Mode. #TINY-9811
+- Firefox did not announce the iframe title when `iframe_aria_text` was set. #TINY-10718
+- Notification width was not constrained to the width of the editor. #TINY-10886
+- Open link context menu action was not enabled for links on images. #TINY-10391
+
 ## 7.0.1 - 2024-04-10
 
 ### Fixed

Vulnerability mechanics

Root cause

"Improper SVG namespace scope handling in the sanitizer allows nested elements to bypass attribute sanitization."

Attack vector

An attacker who can supply content to a TinyMCE editor (e.g., via a comment or document field) crafts a payload using nested SVG elements that exploits improper namespace scope handling in the sanitizer. Because the sanitizer does not correctly track SVG namespace boundaries, a nested element can carry attributes that would normally be stripped, allowing execution of arbitrary JavaScript. The attack requires low privileges and user interaction (e.g., a victim viewing the rendered content), and it is exploitable over the network.

Affected code

The patch does not include a diff to the sanitizer source code; the provided changes are limited to changelog and release-note files. The advisory states the vulnerability is in the SVG namespace scope handling within the HTML sanitizer, but the exact file paths and function names are not shown in the supplied bundle.

What the fix does

The patch is represented by the 7.1.0 release, which the changelog marks as the version containing the fix. The advisory states that the fix corrects improper SVG namespace scope handling in the sanitizer so that nested elements cannot bypass attribute sanitization. No source-level diff is included in the bundle, but the changelog entry for 7.1.0 confirms the vulnerability is resolved in that release.

Preconditions

inputThe attacker must be able to supply HTML content to a TinyMCE editor instance (e.g., via a web form, comment field, or document body).
networkThe victim must view or interact with the crafted content in a browser where TinyMCE renders it.

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/tinymce/tinymce/security/advisories/GHSA-mh5m-5hw4-5c69nvdVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.565
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000