High severity8.7NVD Advisory· Published May 28, 2026· Updated May 28, 2026
CVE-2026-47761
CVE-2026-47761
Description
TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability in the media plugin. Attackers can inject malicious scripts via crafted data-mce-* attributes, which are executed when content is rendered. Impacts users of TinyMCE with the media plugin enabled. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tinymcenpm | >= 0 | — |
tinymcenpm | >= 6.0.0, < 7.9.3 | 7.9.3 |
tinymcenpm | >= 8.0.0, < 8.5.1 | 8.5.1 |
TinyMCENuGet | >= 0 | — |
TinyMCENuGet | >= 6.0.0, < 7.9.3 | 7.9.3 |
TinyMCENuGet | >= 8.0.0, < 8.5.1 | 8.5.1 |
tinymce/tinymcePackagist | >= 0 | — |
tinymce/tinymcePackagist | >= 6.0.0, < 7.9.3 | 7.9.3 |
tinymce/tinymcePackagist | >= 8.0.0, < 8.5.1 | 8.5.1 |
Affected products
5- ghsa-coords3 versions
>= 0+ 2 more
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
Patches
Vulnerability mechanics
References
5- github.com/tinymce/tinymce/security/advisories/GHSA-vg35-5wq7-3x7wnvdPatchVendor AdvisoryWEB
- github.com/advisories/GHSA-vg35-5wq7-3x7wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-47761ghsaADVISORY
- www.tiny.cloud/docs/tinymce/7/7.9.3-release-notes/nvdRelease NotesWEB
- www.tiny.cloud/docs/tinymce/8/8.5.1-release-notes/nvdRelease NotesWEB
News mentions
0No linked articles in our index yet.