TinyMCE CVE-2026-47759 through 47762 turn editor sanitization gaps into stored XSS

high

CVE

CVE-2026-47759, CVE-2026-47760, CVE-2026-47761, CVE-2026-47762

CWE

CWE-79

Affected Surface

tinymce npm package before 5.11.1, 7.9.3, or 8.5.1 depending on branch, TinyMCE NuGet package before 5.11.1, 7.9.3, or 8.5.1 depending on branch, tinymce/tinymce Composer package before 5.11.1, 7.9.3, or 8.5.1 depending on branch, TinyMCE 6.8.0 through 7.0.x for CVE-2026-47760, CMS, admin consoles, wikis, and SaaS products that store and later render TinyMCE-authored HTML

TinyMCE published four high-severity stored-XSS advisories that matter well beyond direct TinyMCE consumers. TinyMCE is embedded in CMSes, helpdesk systems, SaaS admin consoles, internal wikis, education platforms, and custom content-management workflows. A sanitizer bug in that layer can turn a low-privilege content editor into an attacker-controlled script source for higher-privilege reviewers.

The four CVEs were published to NVD on 28 May and have CVSS 3.1 scores of 8.7 in the upstream advisories. They affect TinyMCE packages distributed through npm, NuGet, and Composer.

Affected packages

Affected package names:

tinymce on npm
TinyMCE on NuGet
tinymce/tinymce on Composer / Packagist

Upgrade targets:

TinyMCE 8.5.1 or later for the 8.x branch
TinyMCE 7.9.3 or later for the 7.x branch
TinyMCE 5.11.1 LTS or later for the 5.x branch
TinyMCE 7.1.0 or later specifically covers the nested-SVG sanitizer rewrite for the affected 6.8.x and 7.0.x range

The 6.x branch deserves special attention. CVE-2026-47760 affects >=6.8.0 <7.1.0, while the other three advisories list fixed branches for 5.x LTS, 7.x, and 8.x. Teams still on 6.x should plan a branch upgrade rather than treating this as a routine patch bump.

CVE map

CVE	Vulnerable path	Affected ranges	Fixed versions
`CVE-2026-47759`	`data-mce-href`, `data-mce-src`, and `data-mce-style` survive parsing and override sanitized attributes during serialization	`<5.11.1`, `>=6.0.0 <=6.8.6`, `>=7.0.0 <7.9.3`, `>=8.0.0 <8.5.1`	`5.11.1`, `7.9.3`, `8.5.1`
`CVE-2026-47760`	nested SVG namespace handling lets crafted elements bypass attribute sanitization	`>=6.8.0 <7.1.0`	`7.1.0`
`CVE-2026-47761`	media plugin handling of `data-mce-object` and `data-mce-p-*` attributes allows script injection	`<5.11.1`, `>=6.0.0 <=6.8.6`, `>=7.0.0 <7.9.3`, `>=8.0.0 <8.5.1`	`5.11.1`, `7.9.3`, `8.5.1`
`CVE-2026-47762`	forged `mce:protected` comments are restored into DOM content without the expected validation	`<5.11.1`, `>=6.0.0 <=6.8.6`, `>=7.0.0 <7.9.3`, `>=8.0.0 <8.5.1`	`5.11.1`, `7.9.3`, `8.5.1`

Why stored editor XSS is high-impact

These are stored XSS bugs, not only preview-time rendering issues. A realistic attack path looks like this:

low-privilege editor account
  -> save crafted rich-text payload
  -> administrator previews or reviews the content
  -> TinyMCE restores attacker-controlled HTML into the DOM
  -> script runs in administrator browser context
  -> session token, CSRF token, or privileged action is abused

That chain can become server-side impact in systems where an administrator can upload plugins, edit templates, install themes, or configure integrations. WordPress is the obvious example, but the same pattern appears in many CMS and SaaS platforms: administrator XSS becomes application-level takeover because the administrator role is allowed to modify executable content or outbound integrations.

Vulnerable mechanics

The common theme is that TinyMCE stores rich text as HTML, then parses, normalizes, serializes, and restores that HTML. Sanitizers must protect every transition, including editor-internal attributes and temporary placeholders.

CVE-2026-47759 abuses internal data-mce-* attributes:

<a
  href="https://example.invalid/safe"
  data-mce-href="javascript:fetch('/admin/session').then(r => r.text())">
  preview
</a>

If the editor treats data-mce-href as trusted internal state, the unsafe value can be reintroduced later as the effective link target.

CVE-2026-47761 reaches a similar class of behavior through the media plugin. Media embeds flow through plugin-specific conversion logic, where attributes such as data-mce-object and data-mce-p-* must be sanitized with the same strictness as ordinary HTML attributes.

CVE-2026-47762 targets mce:protected comments. TinyMCE uses protected comments to preserve content that should be temporarily hidden from normal parsing. If an attacker can forge a protected comment and have it restored as trusted content, the sanitizer has effectively become a storage format for the payload:

<!--mce:protected <script>new Image().src='/leak?c='+document.cookie</script> -->

CVE-2026-47760 is narrower in version range but still important because SVG namespace handling has historically been a rich XSS source. Nested SVG elements can shift parser context in ways that make attribute allowlists behave differently than the sanitizer author expected.

Detection

Inventory direct package usage:

npm ls tinymce
pnpm why tinymce
yarn why tinymce
composer show tinymce/tinymce
dotnet list package | grep -i tinymce

Then search templates, bundles, and CMS plugin directories for CDN or vendored copies:

cdn.tiny.cloud
cdnjs.cloudflare.com/ajax/libs/tinymce
tinymce.min.js
plugins/media/plugin.min.js

Because these are stored XSS issues, existing content can already contain payloads. Search persisted content for suspicious editor-internal attributes and protected comments:

SELECT id, title
FROM content
WHERE body LIKE '%data-mce-href%'
   OR body LIKE '%data-mce-src%'
   OR body LIKE '%data-mce-style%'
   OR body LIKE '%data-mce-object%'
   OR body LIKE '%mce:protected%'
   OR body LIKE '%<svg%<svg%';

The query is intentionally broad. Treat matches as triage candidates, not proof of exploitation.

Remediation

Upgrade TinyMCE to a fixed branch. If TinyMCE is bundled through a CMS plugin, theme, admin UI package, or commercial SaaS component, patch through that vendor’s release channel rather than only updating direct dependencies.

After patching, review editor-role access. Stored XSS is gated by the ability to save content, so abandoned contributor accounts, contractor accounts, support accounts, and low-trust content roles are part of the attack surface. Pair the version update with MFA on admin roles, tighter Content Security Policy, and restricted admin-console network access where practical.