Introduction
A stored cross site scripting vulnerability in TinyMCE's media plugin allows attackers with low privileges to inject persistent malicious scripts that execute in the browsers of anyone who views the compromised content, crossing security boundaries into the hosting application. With a CVSS v3.1 score of 8.7, this is the highest severity CVE ever assigned to TinyMCE, and the entire 6.x branch will never receive a patch because it has reached end of life.
TinyMCE is one of the two dominant rich text editors on the web, with TinyMCE and CKEditor together accounting for approximately 58% of the rich text editor market according to developer survey data. It is embedded in platforms ranging from WordPress (as the classic editor) to enterprise SaaS products, making the potential blast radius of this vulnerability substantial across the web application ecosystem.
Technical Information
Root Cause: Insufficient Sanitization of Internal Attributes
CVE-2026-47761 is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability exists in TinyMCE's media plugin, which is responsible for handling embedded media objects such as video, audio, and iframe content.
When the media plugin processes embedded media elements, it converts them into TinyMCE's internal representation using custom HTML attributes: data-mce-object and data-mce-p-*. These attributes preserve editor state and enable proper rendering of media content within the editor's document model. The core issue is that TinyMCE's content sanitization logic fails to properly neutralize malicious payloads placed within these internal attributes during the conversion and reconstruction process.
CVSS Vector Breakdown
The full CVSS v3.1 vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N, which breaks down as follows:
| Metric | Value | Significance |
|---|---|---|
| Attack Vector | Network | Exploitable remotely over the network |
| Attack Complexity | Low | No specialized conditions required |
| Privileges Required | Low | Attacker needs only minimal authentication |
| User Interaction | Required | Victim must view or render the content |
| Scope | Changed | Impact crosses the TinyMCE security boundary into the hosting application |
| Confidentiality | High | Complete information disclosure possible |
| Integrity | High | Complete integrity compromise possible |
| Availability | None | No direct availability impact |
The Scope: Changed metric is the key differentiator that elevates this CVE above all prior TinyMCE vulnerabilities. It indicates that a successful XSS payload injected through TinyMCE can compromise the broader web application's security context, not just the editor component itself. This means session tokens, authentication cookies, and application data belonging to the hosting application are all within reach of the attacker's injected script.
Attack Flow
The exploitation follows a stored XSS pattern:
-
Injection: An attacker with low privileges (such as a content author or commenter) submits HTML content through TinyMCE that contains crafted
data-mce-objectanddata-mce-p-*attributes carrying malicious JavaScript payloads. -
Storage: The application persists this content to its backend storage (typically a database). Because TinyMCE's sanitization fails to strip or neutralize the malicious attributes during processing, the payload survives the save operation intact.
-
Rendering: When any user (including administrators) views the stored content, TinyMCE's media plugin processes the
data-mce-objectanddata-mce-p-*attributes to reconstruct the media elements. During this reconstruction, the malicious script payload is injected into the rendered DOM and executes within the victim's browser session. -
Impact: The attacker's script runs with the full privileges of the victim's session in the context of the hosting application. This enables session hijacking, credential theft, data exfiltration, and further lateral movement depending on the victim's role.
Because this is stored XSS rather than reflected XSS, the payload is durable and scalable. Every user who views the compromised content triggers the payload, without requiring per victim social engineering.
Prerequisite: Media Plugin Must Be Enabled
The vulnerability specifically requires the TinyMCE media plugin to be enabled. Applications that do not load the media plugin are not affected. This is a relevant consideration for compensating controls, as disabling the media plugin eliminates the attack surface entirely for deployments that do not require embedded media functionality.
Affected Systems and Versions
The vulnerability affects the following TinyMCE version ranges:
| Branch | Affected Range | Fixed Version | Patch Status |
|---|---|---|---|
| 5.x | All versions prior to 5.11.1 | 5.11.1 | Commercial LTS contract only |
| 6.x | 6.0.0 through 6.8.6 | None | End of life; no patch will be issued |
| 7.x | 7.0.0 through versions prior to 7.9.3 | 7.9.3 | Available |
| 8.x | 8.0.0 through versions prior to 8.5.1 | 8.5.1 | Available |
The 6.x branch represents the most critical exposure. TinyMCE 6 open source reached end of life on October 31, 2024, and the commercial version reached end of life on June 6, 2025. No security patches will be issued for this branch, meaning all TinyMCE 6.x deployments remain permanently vulnerable unless they migrate to a supported version or engage a third party such as HeroDevs for extended commercial LTS support.
The 5.11.1 fix is only available to organizations with a commercial long term support contract from Tiny Technologies.
Any application that embeds TinyMCE with the media plugin enabled is potentially affected. This includes content management systems, blogging platforms, enterprise applications, and any web application that uses TinyMCE for rich text editing with media embedding capabilities.
Remediation
The GitHub advisory explicitly states there is no official workaround for this vulnerability. Upgrading to a patched version is the only supported remediation:
- TinyMCE 8.x: Upgrade to 8.5.1 or later
- TinyMCE 7.x: Upgrade to 7.9.3 or later
- TinyMCE 5.x: Upgrade to 5.11.1 (commercial LTS)
- TinyMCE 6.x: Must migrate to 7.9.3, 8.5.1, or engage HeroDevs for extended support
For organizations that cannot upgrade immediately, compensating controls may reduce risk: disabling the media plugin if it is not required, implementing strict Content Security Policy headers with restrictive script-src directives, deploying WAF rules to detect data-mce-object and data-mce-p-* attribute patterns in submitted content, and scanning existing stored content for malicious data-mce-* attribute patterns.
Vendor Security History
TinyMCE has a well documented history of XSS vulnerabilities. CVE-2026-47761 is the latest in a series of at least 12 CVEs, nearly all involving cross site scripting variants. This pattern suggests a systemic challenge in content sanitization within the TinyMCE codebase.
Notable prior CVEs include:
| CVE | CVSS | Description |
|---|---|---|
| CVE-2024-38357 | N/A | XSS via noscript element content parsing |
| CVE-2024-29881 | 4.3 | XSS via SVG through object/embed element loading |
| CVE-2024-29203 | 4.3 | XSS via iframe element content insertion |
| CVE-2024-21910 | 6.1 | XSS via crafted image/link URLs |
| CVE-2023-48219 | 6.1 | mXSS via undo/redo and API text node manipulation |
| CVE-2023-45819 | 6.1 | XSS via Notification Manager API |
| CVE-2023-45818 | 6.1 | mXSS via undo/redo string trimming |
| CVE-2022-23494 | 5.4 | XSS via alert/confirm dialog injection |
| CVE-2020-17480 | 6.1 | XSS in core parser, paste, and visualchars plugins |
| CVE-2019-1010091 | 6.1 | XSS via media element paste exploitation |
CVE-2026-47761's CVSS score of 8.7 is significantly higher than all prior TinyMCE CVEs, which typically scored between 4.3 and 6.1. The elevation is driven primarily by the Scope: Changed metric and the High confidentiality and integrity impact ratings.
The media plugin specifically has been a repeat attack surface. CVE-2019-1010091 also targeted the media element's embed tab for XSS injection, making CVE-2026-47761 the second known XSS vulnerability in this same component.
Tiny Technologies' decision to end of life TinyMCE 6 without backporting security fixes for this vulnerability (and prior CVEs such as CVE-2024-29203 and CVE-2024-29881) has created a growing population of permanently vulnerable deployments, a concern highlighted by HeroDevs in their March 2026 analysis.
Threat Landscape Context
As of May 28, 2026, there is no confirmed evidence of CVE-2026-47761 being actively exploited in the wild. The CVE was published on the same day, and no entries appear on CISA's Known Exploited Vulnerabilities catalog.
However, several contextual factors warrant attention. Proofpoint telemetry from late May 2026 identified 12 distinct 2026 CVEs being actively exploited in network facing attacks, demonstrating that threat actors are rapidly weaponizing newly disclosed vulnerabilities. The stored nature of this XSS makes it particularly attractive for session hijacking, credential theft, and malware delivery campaigns because it affects all users who view the compromised content without requiring per victim social engineering. The media plugin has been exploited before (CVE-2019-1010091), indicating threat actors are already familiar with this attack surface.
Credits
This vulnerability was discovered and reported by Aymane MAZGUITI (@UncleJ4ck) and Ange Primiterra (@ange_primiterra), as credited by Tiny Technologies in the GitHub advisory.
References
- GitHub Advisory GHSA-vg35-5wq7-3x7w: TinyMCE XSS via media plugin data-mce-object injection
- NVD: CVE-2026-47761
- TinyMCE 8.5.1 Release Notes
- TinyMCE 7.9.3 Release Notes
- TinyMCE Security Guide
- TinyMCE Support and Version Lifecycle
- HeroDevs: TinyMCE 6 End of Life and Unpatched XSS Vulnerabilities
- OpenCVE: TinyMCE CVEs and Security Vulnerabilities
- Cybersecurity Help: Cross site scripting in TinyMCE VU131920
- Proofpoint: 2026 Vulnerability Exploitation in the Wild



