Introduction
A sanitizer bypass in TinyMCE's SVG namespace handling allows authenticated users to inject persistent JavaScript payloads that execute in the browser context of any user who views the crafted content. Given that TinyMCE powers over 100 million projects and holds roughly 32% market share in the rich text editor space, the blast radius of this stored XSS vulnerability is substantial.
TinyMCE is an open source WYSIWYG rich text editor used by more than 1.5 million developers to provide content editing capabilities in web applications, CMS platforms, SaaS products, and enterprise tools. It is maintained by Tiny Technologies, Inc. (now part of Tiugo Technologies) and distributed via npm, NuGet, Composer, and a hosted CDN (Tiny Cloud). Its dominance in the editor market, combined with high brand stickiness (developers rarely switch editors once adopted), means vulnerabilities in TinyMCE have outsized downstream impact.
CVE-2026-47760 carries a CVSS v3.1 base score of 8.7 (High) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N. The scope change designation (S:C) is particularly significant: it means the XSS payload executes not within the TinyMCE editor frame, but in the full browser context of the hosting application, granting access to session tokens, cookies, and the entire DOM. The vulnerability was discovered by maple3142 of DEVCORE, a professional penetration testing firm, and disclosed responsibly with a coordinated patch release in TinyMCE 7.1.0.
Technical Information
Root Cause: SVG Namespace Scope Tracking Failure
The vulnerability is classified under CWE-79: Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting"). It resides in TinyMCE's HTML sanitizer component, specifically in the logic responsible for tracking SVG namespace scope across nested element structures.
When a properly functioning sanitizer encounters an SVG element, it must recognize that all child elements exist within the SVG namespace, where different attribute validation rules apply. SVG elements can legitimately include event handler attributes like onload that would be dangerous in an HTML context. The sanitizer must track which namespace is active at each nesting level and apply the appropriate validation rules accordingly.
The flaw in TinyMCE versions 6.8.0 through 7.0.x is that when multiple layers of nested <svg> elements are present, the sanitizer's state machine loses track of which namespace rules should govern deeply nested child elements. This causes the sanitizer to incorrectly evaluate event handler attributes under a permissive namespace context, allowing attributes containing malicious JavaScript (such as onload, onmouseover, or onclick) to pass through sanitization undetected.
CVSS Scoring Breakdown
| CVSS Metric | v3.1 Value | Interpretation |
|---|---|---|
| Attack Vector | Network (AV:N) | Remotely exploitable over the network |
| Attack Complexity | Low (AC:L) | No specialized conditions required |
| Privileges Required | Low (PR:L) | Authenticated user context sufficient |
| User Interaction | Required (UI:R) | Victim must interact with crafted content |
| Scope | Changed (S:C) | Impact extends beyond vulnerable component |
| Confidentiality | High (C:H) | Full application data accessible |
| Integrity | High (I:H) | Data manipulation possible |
| Availability | None (A:N) | No direct availability impact |
The CVSS v4.0 vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear, with E:U indicating no known active exploitation at the time of scoring.
Attack Flow
An attacker exploiting CVE-2026-47760 would follow this general sequence:
-
Payload Construction: The attacker crafts an HTML fragment containing nested SVG elements with embedded JavaScript event handlers. The general structure involves multiple layers of
<svg>elements where inner elements carry event handler attributes that the sanitizer fails to strip due to the namespace tracking failure. -
Content Injection: The crafted payload is submitted through any feature that stores or displays user generated content via TinyMCE. This includes comment fields, profile biographies, document editors, CMS content areas, or any other input that passes through the TinyMCE editor and its sanitizer.
-
Sanitizer Bypass: When TinyMCE processes the submitted content, the sanitizer encounters the nested SVG structure. Due to the namespace scope tracking failure, the malicious event handler attributes on inner SVG elements survive sanitization. The sanitizer treats them as legitimate SVG attributes rather than dangerous HTML event handlers.
-
Execution Trigger: When a victim user loads or interacts with the page containing the stored payload, the browser renders the nested SVG elements and executes the JavaScript in the event handlers. This is a stored (persistent) XSS scenario, meaning every user who views the affected content is a potential victim.
-
Impact Realization: Because of the scope change (S:C), the executed JavaScript operates in the context of the entire web application. This enables session hijacking via cookie theft, credential harvesting, DOM manipulation, unauthorized actions performed on behalf of the victim, and data exfiltration. The high confidentiality and high integrity impact ratings reflect the full range of actions available to an attacker executing JavaScript in the application context.
Relationship to Previous SVG Namespace Bypasses
This vulnerability represents the third documented SVG related XSS bypass in TinyMCE. The previously disclosed CVE-2024-29881 allowed XSS through SVG embed elements with improper namespace handling. CVE-2026-47760 is more sophisticated, leveraging nested SVG trees rather than a single SVG element with an embed, making it harder to detect through simple pattern matching.
The TinyMCE 7.4.1 release notes also reference a related fix involving "DOMPurify allowing some bypassing which lead to improper sanitization of invalid HTML elements within XML contexts, exploiting parsing" differences between the HTML and XML parsers. This confirms that SVG/XML namespace boundary issues have been an ongoing architectural challenge for the TinyMCE sanitizer.
The escalation pattern is notable: from a single element bypass (CVE-2024-29881) to a multi layered nested SVG bypass (CVE-2026-47760), the bypasses have grown in sophistication while exploiting the same fundamental weakness in namespace boundary handling. The fix in 7.1.0 involved a rewrite of the problematic code rather than a targeted patch, suggesting the vendor recognized that incremental fixes were insufficient.
Defense in Depth Considerations
The GitHub advisory explicitly states that no workaround is available; upgrading to TinyMCE 7.1.0 is the sole remediation path. However, organizations should implement supplementary controls:
Content Security Policy (CSP): A strict CSP header that restricts inline script execution (script-src without 'unsafe-inline') serves as a second line of defense. Even if a payload survives the TinyMCE sanitizer, CSP can prevent the injected JavaScript from executing.
Server Side Content Validation: Client side sanitization alone is insufficient because it can be bypassed by direct HTTP requests that circumvent the editor entirely. Organizations should implement rigorous server side validation of all content submitted through TinyMCE, including rejecting or sanitizing SVG content at the server level before storage.
DOMPurify Configuration Review: TinyMCE uses DOMPurify 3.x for HTML sanitization. The TinyMCE documentation notes that the editor does not natively support SVGs due to security risks. Organizations should evaluate whether SVG support is genuinely required and configure DOMPurify with the most restrictive settings possible.
Cookie Security Flags: Setting HttpOnly and Secure flags on session cookies limits the impact of successful XSS exploitation by preventing JavaScript from accessing session tokens via document.cookie.
Affected Systems and Versions
CVE-2026-47760 affects all TinyMCE installations from version 6.8.0 through versions prior to 7.1.0 (i.e., all 6.8.x, 6.9.x, 7.0.x releases). The vulnerability is present across all distribution channels:
| Distribution Channel | Package Identifier | Vulnerable Versions | Fixed Version |
|---|---|---|---|
| npm | tinymce | >= 6.8.0, < 7.1.0 | 7.1.0 |
| NuGet | TinyMCE | >= 6.8.0, < 7.1.0 | 7.1.0 |
| Composer | tinymce/tinymce | >= 6.8.0, < 7.1.0 | 7.1.0 |
| Tiny Cloud (CDN) | CDN hosted | >= 6.8.0, < 7.1.0 | 7.1.0 |
Organizations using Tiny Cloud (CDN hosted TinyMCE) should verify the version loaded in their application is 7.1.0 or later by checking the version query parameter or TinyMCE initialization output.
Critical note for TinyMCE 6.x users: TinyMCE 6 has reached end of life and will not receive security patches for this vulnerability. Organizations running any TinyMCE 6.x version must upgrade to TinyMCE 7.1.0 or later, as there is no patch path for the 6.x branch. This compounds with previously unpatched vulnerabilities in the 6.x line, including CVE-2024-29203 and CVE-2024-29881.
Vendor Security History
TinyMCE has experienced a notable series of XSS vulnerabilities, particularly related to SVG handling and sanitizer bypasses. The documented security history includes:
| CVE/Advisory | Year | Type | Severity | Root Cause |
|---|---|---|---|---|
| GHSA-gg8r-xjwq-4w92 | 2022 | XSS (alerts) | Moderate | Malicious HTML in alert/confirm dialogs |
| GHSA-438c-3975-5x3f | 2024 | XSS (iframe) | Moderate | Malicious iframe content insertion |
| CVE-2024-29881 | 2024 | XSS (SVG embed) | Moderate | SVG embed element bypassing content loading |
| GHSA-9hcv-j9pv-qmph | 2024 | XSS (noscript) | Moderate | noscript element parsing bypass |
| CVE-2024-29203 | 2024 | XSS | Critical | Stored XSS in TinyMCE |
| CVE-2024-38356 | 2024 | XSS | N/A | Additional XSS variant |
| CVE-2026-47760 | 2026 | XSS (nested SVG) | 8.7 (High) | Improper SVG namespace scope handling |
The recurrence of sanitizer bypass vulnerabilities, especially those exploiting SVG namespace handling, indicates a systemic design challenge. Each fix has addressed a specific bypass technique, but the underlying namespace tracking logic has continued to produce new bypass variants. The vendor maintains a responsible disclosure program and has demonstrated consistent responsiveness in patching, but the pattern suggests that the integration layer between TinyMCE and its DOMPurify based sanitization engine remains a persistent source of security issues.
The end of life status of TinyMCE 6 further complicates the picture. Organizations still running TinyMCE 6.x face compounding risk from both older and newer XSS flaws with no vendor patch path available.
References
- NVD: CVE-2026-47760
- GitHub Advisory GHSA-mh5m-5hw4-5c69: TinyMCE XSS via Nested SVG Sanitization Bypass
- SB2026052049: Cross-site Scripting in TinyMCE
- TinyMCE Security Guide
- CISA Known Exploited Vulnerabilities Catalog
- NVD: CVE-2024-29881
- TinyMCE Changelog
- TinyMCE 7.4.1 Release Notes
- TinyMCE Security Advisories
- TinyMCE 6 End of Life: Unpatched XSS Vulnerabilities (HeroDevs)
- DEVCORE Team
- Developer Survey Results: State of Rich Text Editors in 2023
- Snyk: tinymce Package Vulnerabilities



