CVE-2026-47760

8.7 HIGH

TinyMCE is an open source rich text editor

Published: 2026-05-28 · Last updated: 2026-05-28

Severity and scoring

CVSS: 8.7 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
CWE: CWE-79

Affected products

Vendor	Product
tiny	tinymce

Description

TinyMCE is an open source rich text editor. From 6.8.0 to before 7.1.0, TinyMCE contains an XSS vulnerability caused by improper SVG namespace scope handling in the sanitizer. A crafted payload using nested elements can bypass attribute sanitization and execute arbitrary JavaScript. This vulnerability is fixed in 7.1.0.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-47760
[Vendor advisory]https://github.com/tinymce/tinymce/security/advisories/GHSA-mh5m-5hw4-5c69

Related CVEs

Same vendor

CVE-2026-47762 — TinyMCE is an open source rich text editor (8.7 HIGH)
CVE-2026-47761 — TinyMCE is an open source rich text editor (8.7 HIGH)
CVE-2026-47759 — TinyMCE is an open source rich text editor (8.7 HIGH)

Same CWE

CVE-2026-12425 — Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in PowerSchool Employee Access ...
CVE-2024-30476 — PowerStore contains a Stored Cross-Site Scripting Vulnerability in the PowerStore Manager (5.4 MEDIUM)
CVE-2026-54198 — Unauthenticated Cross Site Scripting (XSS) in Media LIbrary Assistant <= 3.35 versions (7.1 HIGH)
CVE-2026-54191 — Unauthenticated Cross Site Scripting (XSS) in Pods <= 3.3.8 versions (7.1 HIGH)
CVE-2026-39437 — Unauthenticated Cross Site Scripting (XSS) in Min Max Step Quantity Limits Manager for WooCommerce <= 5.2.2 versions (7.1 HIGH)