GHSA-mh5m-5hw4-5c69
Suggest an improvement- Source
- https://github.com/advisories/GHSA-mh5m-5hw4-5c69
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-mh5m-5hw4-5c69/GHSA-mh5m-5hw4-5c69.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-mh5m-5hw4-5c69
- Aliases
-
- CVE-2026-47760
- Published
- 2026-06-05T20:09:38Z
- Modified
- 2026-06-05T20:15:09.843992601Z
- Severity
-
- 8.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N CVSS Calculator
- Summary
- TinyMCE Cross-Site Scripting (XSS) vulnerability using sanitization bypass through nested SVGs
- Details
-
Impact
TinyMCE 6.8.x contains an XSS vulnerability caused by improper SVG namespace scope handling in the sanitizer. A crafted payload using nested <svg> elements can bypass attribute sanitization and execute arbitrary JavaScript.
Patches
This issue affects TinyMCE 6.8.x-7.0.x. The vulnerability is fixed in TinyMCE 7.1.0 and later.
Workarounds
No official workaround available.
Acknowledgements
Tiny thanks maple3142 (https://maple3142.net) of DEVCORE for their help identifying this vulnerability.
References
Fix introduced in TinyMCE 7.1.0 though a rewrite of code causing the vulnerability.
- Database specific
{ "nvd_published_at": "2026-05-28T16:16:28Z", "github_reviewed_at": "2026-06-05T20:09:38Z", "github_reviewed": true, "severity": "HIGH", "cwe_ids": [ "CWE-79" ] }- References
Affected packages
npm / tinymce
Package
- Name
- tinymce
- View open source insights on deps.dev
- Purl
- pkg:npm/tinymce
NuGet / TinyMCE
Package
- Name
- TinyMCE
- View open source insights on deps.dev
- Purl
- pkg:nuget/TinyMCE
Packagist / tinymce/tinymce
Package
- Name
- tinymce/tinymce
- Purl
- pkg:composer/tinymce%2Ftinymce