ZeroPath at Black Hat USA 2026

TinyMCE CVE-2026-47759: Overview of Stored XSS via Internal data-mce-* Attribute Abuse

A brief summary of CVE-2026-47759, a stored XSS vulnerability in TinyMCE that bypasses sanitization through crafted data-mce-* attributes. Includes patch details and affected version information.

CVE Analysis

7 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-28

TinyMCE CVE-2026-47759: Overview of Stored XSS via Internal data-mce-* Attribute Abuse
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A stored cross-site scripting vulnerability in TinyMCE allows attackers to smuggle malicious payloads through internal data-mce-* attributes, completely bypassing the editor's DOMPurify based sanitization. With a CVSS score of 8.7 and TinyMCE's presence across more than 20 million npm downloads, this vulnerability affects a significant portion of the web application ecosystem where rich text editing is a core feature.

TinyMCE is one of the most widely deployed open source WYSIWYG rich text editors, developed by Tiny Technologies (formerly Ephox Corporation). It is embedded in CMS platforms, enterprise applications, and SaaS products across virtually every industry. Its ubiquity means that a sanitization bypass in TinyMCE can have cascading effects across thousands of downstream applications.

Technical Information

The root cause of CVE-2026-47759 lies in a trust boundary gap between TinyMCE's internal attribute handling and its external sanitization layer.

How data-mce-* Attributes Work

When TinyMCE loads content into the editor, it copies the values of certain critical HTML attributes (href, src, and style) into corresponding internal attributes: data-mce-href, data-mce-src, and data-mce-style. These internal copies serve as the "source of truth" during content serialization, which is the process of converting the editor's internal DOM back into an HTML string for output. The design assumption was that these data-mce-* attributes would only ever be populated by TinyMCE's own trusted internal logic.

The Sanitization Gap

Since TinyMCE 6.0, the editor has used DOMPurify (version 3.x, upgraded to 3.2.6 in TinyMCE 8.0.1) and the native DOMParser API for HTML sanitization. DOMPurify effectively sanitizes standard HTML attributes like href, src, and style. However, data-mce-* attributes are custom data attributes that fall outside DOMPurify's default sanitization scope. DOMPurify treats them as harmless, because in standard HTML they are inert.

The vulnerability arises because TinyMCE's parser did not strip or validate pre-existing data-mce-* attributes on inbound content. An attacker could craft HTML content that already contained malicious data-mce-href, data-mce-src, or data-mce-style attribute values before it was loaded into TinyMCE. Since these attributes were not sanitized on ingestion, the attacker supplied values persisted in the editor's internal DOM.

The Override During Serialization

During serialization, TinyMCE reads the data-mce-* values and uses them to overwrite the corresponding sanitized href, src, or style attributes in the output HTML. This means the malicious values supplied by the attacker replace the safe, validated values, effectively bypassing all sanitization that had been applied to the standard attributes.

Attack Flow

  1. Craft malicious content: An attacker creates HTML content containing a malicious payload in a data-mce-* attribute. For example, an element might have a safe, validated href attribute alongside a data-mce-href attribute containing a javascript: URI or other malicious value.

  2. Submit to target application: This crafted content is submitted to a web application that uses TinyMCE, through a content creation form, API endpoint, or any other input mechanism that feeds into the editor.

  3. Sanitization bypass on load: When TinyMCE loads this content, DOMPurify sanitizes the standard HTML attributes (href, src, style) as expected. However, the data-mce-* attributes pass through unsanitized because they fall outside DOMPurify's scope.

  4. Malicious override on serialization: When the content is serialized for storage or display, TinyMCE's serializer reads the data-mce-href, data-mce-src, or data-mce-style values and uses them to replace the corresponding standard attributes in the output. The malicious values now occupy the href, src, or style positions in the final HTML.

  5. Stored XSS execution: When another user views the stored content, the malicious attribute values execute in their browser context, achieving stored XSS.

This is a particularly interesting class of vulnerability because it exploits the gap between two trust boundaries: DOMPurify trusts that data-mce-* attributes are harmless custom data attributes, while TinyMCE's serializer trusts that data-mce-* attributes contain values it set itself. Neither system validates the other's assumptions.

Broader Scope

The TinyMCE 7.9.3 changelog also notes an additional security fix for "stored XSS vulnerability using media plugin data-mce-object," indicating that the data-mce-* attribute sanitization issue may extend beyond the three attributes (data-mce-href, data-mce-src, data-mce-style) highlighted in the primary advisory.

Patch Information

The TinyMCE team released patched versions on May 20, 2026, addressing this stored XSS vulnerability across three release tracks: 5.11.1 (LTS), 7.9.3, and 8.5.1. These patches are available via npm, NuGet, and Composer.

How the Fix Works

The fix is conceptually elegant: the patched versions now strip unsafe data-mce-* attributes during the HTML parsing phase, before the content ever enters the editor's internal DOM. By removing any externally supplied data-mce-href, data-mce-src, and data-mce-style attributes at parse time, TinyMCE ensures that only values it generates internally can occupy these trusted positions. During serialization, the editor will only encounter data-mce-* values that it set itself from already validated attribute values, closing the override attack vector entirely.

Upgrade Guidance

The affected version ranges are:

  • All versions prior to 5.11.1
  • All 6.x versions (6.0.0 through 6.8.6)
  • All 7.x versions prior to 7.9.3
  • All 8.x versions prior to 8.5.1

There is no patch available for the TinyMCE 6.x branch. That major version has reached end of life. Users on TinyMCE 6.x must upgrade to either 7.9.3+ or 8.5.1+ to receive the fix. The 5.11.1 LTS patch is only available as part of a commercial long term support contract. No official workaround exists; upgrading is the sole remediation path.

Affected Systems and Versions

The following TinyMCE versions are vulnerable to CVE-2026-47759:

Version RangeStatus
All versions prior to 5.11.1Vulnerable (patch available via LTS contract)
6.0.0 through 6.8.6 (all 6.x)Vulnerable (end of life, no patch available)
7.0.0 through 7.9.2 (all 7.x before 7.9.3)Vulnerable (upgrade to 7.9.3)
8.0.0 through 8.5.0 (all 8.x before 8.5.1)Vulnerable (upgrade to 8.5.1)

Any web application, CMS, or platform that embeds a vulnerable version of TinyMCE is affected. This includes applications that load TinyMCE via npm, CDN, NuGet, Composer, or bundled distributions.

Vendor Security History

TinyMCE has a documented history of XSS vulnerabilities in its sanitization engine, suggesting a systemic challenge in the editor's architecture:

CVE / AdvisoryDescriptionAffected VersionsYear
Bishop Fox AdvisoryXSS in TinyMCE 5.2.15.2.12020
CVE-2024-29203XSS in content insertion codeMultiple2024
CVE-2024-38357XSS in content insertion codeMultiple (including 6.8.0)2024
GHSA-438c-3975-5x3fXSS in iframe handlingMultiple2024
CVE-2026-47759Stored XSS via data-mce-* attributes< 5.11.1, < 7.9.3, < 8.5.12026

The recurring nature of these XSS bypasses, even after the adoption of DOMPurify in TinyMCE 6.0, points to the fundamental difficulty of maintaining a rich text editor that must preserve complex HTML structures while preventing script injection. The data-mce-* attribute pattern in particular represents a class of vulnerability where internal editor metadata becomes an attack surface, a risk that is inherent to any editor that uses custom attributes as an internal state mechanism.

HeroDevs has highlighted that TinyMCE 6 is end of life with unpatched XSS vulnerabilities, and the lack of a 6.x patch for CVE-2026-47759 reinforces this concern for organizations still running that branch.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization