ZeroPath at Black Hat USA 2026

TinyMCE CVE-2026-47761: Overview of a High Severity Stored XSS via Media Plugin data-mce-object Injection

A brief summary of CVE-2026-47761, a stored XSS vulnerability in TinyMCE's media plugin that scores 8.7 CVSS and affects all versions prior to 5.11.1, 7.9.3, and 8.5.1, with the entire 6.x branch permanently unpatched due to end of life status.

CVE Analysis

8 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-28

TinyMCE CVE-2026-47761: Overview of a High Severity Stored XSS via Media Plugin data-mce-object Injection
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A stored cross site scripting vulnerability in TinyMCE's media plugin allows attackers with low privileges to inject persistent malicious scripts that execute in the browsers of anyone who views the compromised content, crossing security boundaries into the hosting application. With a CVSS v3.1 score of 8.7, this is the highest severity CVE ever assigned to TinyMCE, and the entire 6.x branch will never receive a patch because it has reached end of life.

TinyMCE is one of the two dominant rich text editors on the web, with TinyMCE and CKEditor together accounting for approximately 58% of the rich text editor market according to developer survey data. It is embedded in platforms ranging from WordPress (as the classic editor) to enterprise SaaS products, making the potential blast radius of this vulnerability substantial across the web application ecosystem.

Technical Information

Root Cause: Insufficient Sanitization of Internal Attributes

CVE-2026-47761 is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability exists in TinyMCE's media plugin, which is responsible for handling embedded media objects such as video, audio, and iframe content.

When the media plugin processes embedded media elements, it converts them into TinyMCE's internal representation using custom HTML attributes: data-mce-object and data-mce-p-*. These attributes preserve editor state and enable proper rendering of media content within the editor's document model. The core issue is that TinyMCE's content sanitization logic fails to properly neutralize malicious payloads placed within these internal attributes during the conversion and reconstruction process.

CVSS Vector Breakdown

The full CVSS v3.1 vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N, which breaks down as follows:

MetricValueSignificance
Attack VectorNetworkExploitable remotely over the network
Attack ComplexityLowNo specialized conditions required
Privileges RequiredLowAttacker needs only minimal authentication
User InteractionRequiredVictim must view or render the content
ScopeChangedImpact crosses the TinyMCE security boundary into the hosting application
ConfidentialityHighComplete information disclosure possible
IntegrityHighComplete integrity compromise possible
AvailabilityNoneNo direct availability impact

The Scope: Changed metric is the key differentiator that elevates this CVE above all prior TinyMCE vulnerabilities. It indicates that a successful XSS payload injected through TinyMCE can compromise the broader web application's security context, not just the editor component itself. This means session tokens, authentication cookies, and application data belonging to the hosting application are all within reach of the attacker's injected script.

Attack Flow

The exploitation follows a stored XSS pattern:

  1. Injection: An attacker with low privileges (such as a content author or commenter) submits HTML content through TinyMCE that contains crafted data-mce-object and data-mce-p-* attributes carrying malicious JavaScript payloads.

  2. Storage: The application persists this content to its backend storage (typically a database). Because TinyMCE's sanitization fails to strip or neutralize the malicious attributes during processing, the payload survives the save operation intact.

  3. Rendering: When any user (including administrators) views the stored content, TinyMCE's media plugin processes the data-mce-object and data-mce-p-* attributes to reconstruct the media elements. During this reconstruction, the malicious script payload is injected into the rendered DOM and executes within the victim's browser session.

  4. Impact: The attacker's script runs with the full privileges of the victim's session in the context of the hosting application. This enables session hijacking, credential theft, data exfiltration, and further lateral movement depending on the victim's role.

Because this is stored XSS rather than reflected XSS, the payload is durable and scalable. Every user who views the compromised content triggers the payload, without requiring per victim social engineering.

Prerequisite: Media Plugin Must Be Enabled

The vulnerability specifically requires the TinyMCE media plugin to be enabled. Applications that do not load the media plugin are not affected. This is a relevant consideration for compensating controls, as disabling the media plugin eliminates the attack surface entirely for deployments that do not require embedded media functionality.

Affected Systems and Versions

The vulnerability affects the following TinyMCE version ranges:

BranchAffected RangeFixed VersionPatch Status
5.xAll versions prior to 5.11.15.11.1Commercial LTS contract only
6.x6.0.0 through 6.8.6NoneEnd of life; no patch will be issued
7.x7.0.0 through versions prior to 7.9.37.9.3Available
8.x8.0.0 through versions prior to 8.5.18.5.1Available

The 6.x branch represents the most critical exposure. TinyMCE 6 open source reached end of life on October 31, 2024, and the commercial version reached end of life on June 6, 2025. No security patches will be issued for this branch, meaning all TinyMCE 6.x deployments remain permanently vulnerable unless they migrate to a supported version or engage a third party such as HeroDevs for extended commercial LTS support.

The 5.11.1 fix is only available to organizations with a commercial long term support contract from Tiny Technologies.

Any application that embeds TinyMCE with the media plugin enabled is potentially affected. This includes content management systems, blogging platforms, enterprise applications, and any web application that uses TinyMCE for rich text editing with media embedding capabilities.

Remediation

The GitHub advisory explicitly states there is no official workaround for this vulnerability. Upgrading to a patched version is the only supported remediation:

  • TinyMCE 8.x: Upgrade to 8.5.1 or later
  • TinyMCE 7.x: Upgrade to 7.9.3 or later
  • TinyMCE 5.x: Upgrade to 5.11.1 (commercial LTS)
  • TinyMCE 6.x: Must migrate to 7.9.3, 8.5.1, or engage HeroDevs for extended support

For organizations that cannot upgrade immediately, compensating controls may reduce risk: disabling the media plugin if it is not required, implementing strict Content Security Policy headers with restrictive script-src directives, deploying WAF rules to detect data-mce-object and data-mce-p-* attribute patterns in submitted content, and scanning existing stored content for malicious data-mce-* attribute patterns.

Vendor Security History

TinyMCE has a well documented history of XSS vulnerabilities. CVE-2026-47761 is the latest in a series of at least 12 CVEs, nearly all involving cross site scripting variants. This pattern suggests a systemic challenge in content sanitization within the TinyMCE codebase.

Notable prior CVEs include:

CVECVSSDescription
CVE-2024-38357N/AXSS via noscript element content parsing
CVE-2024-298814.3XSS via SVG through object/embed element loading
CVE-2024-292034.3XSS via iframe element content insertion
CVE-2024-219106.1XSS via crafted image/link URLs
CVE-2023-482196.1mXSS via undo/redo and API text node manipulation
CVE-2023-458196.1XSS via Notification Manager API
CVE-2023-458186.1mXSS via undo/redo string trimming
CVE-2022-234945.4XSS via alert/confirm dialog injection
CVE-2020-174806.1XSS in core parser, paste, and visualchars plugins
CVE-2019-10100916.1XSS via media element paste exploitation

CVE-2026-47761's CVSS score of 8.7 is significantly higher than all prior TinyMCE CVEs, which typically scored between 4.3 and 6.1. The elevation is driven primarily by the Scope: Changed metric and the High confidentiality and integrity impact ratings.

The media plugin specifically has been a repeat attack surface. CVE-2019-1010091 also targeted the media element's embed tab for XSS injection, making CVE-2026-47761 the second known XSS vulnerability in this same component.

Tiny Technologies' decision to end of life TinyMCE 6 without backporting security fixes for this vulnerability (and prior CVEs such as CVE-2024-29203 and CVE-2024-29881) has created a growing population of permanently vulnerable deployments, a concern highlighted by HeroDevs in their March 2026 analysis.

Threat Landscape Context

As of May 28, 2026, there is no confirmed evidence of CVE-2026-47761 being actively exploited in the wild. The CVE was published on the same day, and no entries appear on CISA's Known Exploited Vulnerabilities catalog.

However, several contextual factors warrant attention. Proofpoint telemetry from late May 2026 identified 12 distinct 2026 CVEs being actively exploited in network facing attacks, demonstrating that threat actors are rapidly weaponizing newly disclosed vulnerabilities. The stored nature of this XSS makes it particularly attractive for session hijacking, credential theft, and malware delivery campaigns because it affects all users who view the compromised content without requiring per victim social engineering. The media plugin has been exploited before (CVE-2019-1010091), indicating threat actors are already familiar with this attack surface.

Credits

This vulnerability was discovered and reported by Aymane MAZGUITI (@UncleJ4ck) and Ange Primiterra (@ange_primiterra), as credited by Tiny Technologies in the GitHub advisory.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization