GHSA-vg35-5wq7-3x7w
Suggest an improvement- Source
- https://github.com/advisories/GHSA-vg35-5wq7-3x7w
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-vg35-5wq7-3x7w/GHSA-vg35-5wq7-3x7w.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-vg35-5wq7-3x7w
- Aliases
-
- CVE-2026-47761
- Published
- 2026-06-05T20:29:43Z
- Modified
- 2026-06-05T20:45:11.485704788Z
- Severity
-
- 8.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N CVSS Calculator
- Summary
- TinyMCE Cross-Site Scripting (XSS) vulnerability using media plugin `data-mce-object` injection
- Details
-
Impact
Stored XSS vulnerability in the media plugin. Attackers can inject malicious scripts via crafted
data-mce-*attributes, which are executed when content is rendered. Impacts users of TinyMCE with the media plugin enabled.Patches
This vulnerability has been patched in TinyMCE 8.5.1, TinyMCE 7.9.3 and TinyMCE 5.11.1 LTS by ensuring that, when using the media plugin, any content with
data-mce-objectanddata-mce-p-*attributes are properly sanitized.Workarounds
No official workaround available.
Fix
To avoid this vulnerability:
- Upgrade to TinyMCE 8.5.1 or higher.
- Upgrade to TinyMCE 7.9.3 or higher.
- Upgrade to TinyMCE 5.11.1 LTS or higher for TinyMCE 5.x (only available as part of commercial long-term support contract).
Acknowledgements
Tiny thanks Aymane MAZGUITI and Ange Primiterra for their help identifying this vulnerability.
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-06-05T20:29:43Z", "nvd_published_at": "2026-05-28T16:16:28Z", "severity": "HIGH", "cwe_ids": [ "CWE-79" ] }- References
Affected packages
npm
tinymce
Package
- Name
- tinymce
- View open source insights on deps.dev
- Purl
- pkg:npm/tinymce
tinymce
Package
- Name
- tinymce
- View open source insights on deps.dev
- Purl
- pkg:npm/tinymce
tinymce
Package
- Name
- tinymce
- View open source insights on deps.dev
- Purl
- pkg:npm/tinymce
NuGet
TinyMCE
Package
- Name
- TinyMCE
- View open source insights on deps.dev
- Purl
- pkg:nuget/TinyMCE
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
3.*
3.4.3.2
3.4.4
3.4.5
3.4.7
3.5.0
3.5.0.1
3.5.1
3.5.1.1
3.5.2
3.5.3
3.5.4
3.5.4.1
3.5.5
3.5.6
3.5.7
3.5.8
4.*
4.0.0
4.0.1
4.0.2
4.0.4
4.0.5
4.0.6
4.0.8
4.0.9
4.0.10
4.0.11
4.0.13
4.0.14
4.0.15
4.0.16
4.0.17
4.0.18
4.0.19
4.0.20
4.0.21
4.0.22
4.0.23
4.0.24
4.0.25
4.0.26
4.0.27
4.0.28
4.1.0
4.1.1
4.1.2
4.1.3
4.1.4
4.1.5
4.1.6
4.1.7
4.1.8
4.1.9
4.1.10
4.2.0
4.2.1
4.2.2
4.2.3
4.2.4
4.2.5
4.2.6
4.2.7
4.2.8
4.3.0
4.3.1
4.3.2
4.3.3
4.3.4
4.3.6
4.3.7
4.3.8
4.3.9
4.3.10
4.3.11
4.3.12
4.3.13
4.4.0
4.4.1
4.4.2
4.4.3
4.5.0
4.5.1
4.5.2
4.5.3
4.5.4
4.5.5
4.5.6
4.5.7
4.5.8
4.6.0
4.6.1
4.6.2
4.6.3
4.6.4
4.6.5
4.6.6
4.6.7
4.7.0
4.7.3
4.7.4
4.7.5
4.7.6
4.7.7
4.7.8
4.7.9
4.7.10
4.7.11
4.7.12
4.7.13
4.8.0
4.8.1
4.8.2
4.8.3
4.8.4
4.8.5
4.9.0
4.9.1
4.9.2
4.9.3
4.9.4
4.9.5
4.9.6
4.9.7
4.9.8
4.9.9
4.9.10
4.9.11
5.*
5.0.0
5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.0.7
5.0.8
5.0.9
5.0.10
5.0.11
5.0.12
5.0.13
5.0.14
5.0.15
5.0.16
5.1.0
5.1.1
5.1.2
5.1.3
5.1.4
5.1.5
5.1.6
5.2.0
5.2.1
5.2.2
5.3.0
5.3.1
5.3.2
5.4.0
5.4.1
5.4.2
5.5.0
5.5.1
5.6.0
5.6.1
5.6.2
5.7.0
5.7.1
5.8.0
5.8.1
5.8.2
5.9.0
5.9.1
5.9.2
5.10.0
5.10.1
5.10.2
5.10.3
5.10.4
5.10.5
5.10.6
5.10.7
5.10.8
5.10.9
6.*
6.0.0
6.0.1
6.0.2
6.0.3
6.1.0
6.1.1
6.1.2
6.2.0
6.3.0
6.3.1
6.3.2
6.4.0
6.4.1
6.4.2
6.5.0
6.5.1
6.6.2
6.7.0
6.7.1
6.7.2
6.7.3
6.8.0
6.8.1
6.8.2
6.8.3
6.8.4
6.8.5
6.8.6
7.*
7.0.0
7.0.1
7.1.0
7.1.1
7.1.2
7.2.0
7.2.1
7.3.0
7.4.0
7.4.1
7.5.0
7.5.1
7.6.0
7.6.1
7.7.0
7.7.1
7.7.2
7.8.0
7.9.0
7.9.1
7.9.2
7.9.3
8.*
8.0.0
8.0.1
8.0.2
8.1.0
8.1.1
8.1.2
8.2.0
8.2.1
8.2.2
8.3.0
8.3.1
8.3.2
8.4.0
8.5.0
8.5.1
8.6.0
TinyMCE
Package
- Name
- TinyMCE
- View open source insights on deps.dev
- Purl
- pkg:nuget/TinyMCE
Affected versions
6.*
6.0.0
6.0.1
6.0.2
6.0.3
6.1.0
6.1.1
6.1.2
6.2.0
6.3.0
6.3.1
6.3.2
6.4.0
6.4.1
6.4.2
6.5.0
6.5.1
6.6.2
6.7.0
6.7.1
6.7.2
6.7.3
6.8.0
6.8.1
6.8.2
6.8.3
6.8.4
6.8.5
6.8.6
7.*
7.0.0
7.0.1
7.1.0
7.1.1
7.1.2
7.2.0
7.2.1
7.3.0
7.4.0
7.4.1
7.5.0
7.5.1
7.6.0
7.6.1
7.7.0
7.7.1
7.7.2
7.8.0
7.9.0
7.9.1
7.9.2
TinyMCE
Package
- Name
- TinyMCE
- View open source insights on deps.dev
- Purl
- pkg:nuget/TinyMCE
Packagist
tinymce/tinymce
Package
- Name
- tinymce/tinymce
- Purl
- pkg:composer/tinymce%2Ftinymce
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
4.*
4.0.0
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6
4.0.7
4.0.8
4.0.9
4.0.10
4.0.11
4.0.12
4.0.13
4.0.14
4.0.15
4.0.16
4.0.17
4.0.18
4.0.19
4.0.20
4.0.21
4.0.22
4.0.23
4.0.24
4.0.25
4.0.26
4.0.27
4.0.28
4.1.0
4.1.1
4.1.2
4.1.3
4.1.4
4.1.5
4.1.6
4.1.7
4.1.8
4.1.9
4.1.10
4.2.0
4.2.1
4.2.2
4.2.3
4.2.4
4.2.5
4.2.6
4.2.7
4.2.8
4.3.0
4.3.1
4.3.2
4.3.3
4.3.4
4.3.6
4.3.7
4.3.8
4.3.9
4.3.10
4.3.11
4.3.12
4.3.13
4.4.0
4.4.1
4.4.2
4.4.3
4.5.0
4.5.1
4.5.2
4.5.3
4.5.4
4.5.5
4.5.6
4.5.7
4.5.8
4.5.9
4.5.12
4.6.0
4.6.1
4.6.2
4.6.3
4.6.4
4.6.5
4.6.6
4.6.7
4.7.0
4.7.1
4.7.2
4.7.3
4.7.4
4.7.5
4.7.6
4.7.7
4.7.8
4.7.9
4.7.10
4.7.11
4.7.12
4.7.13
4.8.0
4.8.1
4.8.2
4.8.3
4.8.4
4.8.5
4.9.0
4.9.1
4.9.2
4.9.3
4.9.4
4.9.5
4.9.6
4.9.7
4.9.8
4.9.9
4.9.10
4.9.11
5.*
5.0.0
5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.0.7
5.0.8
5.0.9
5.0.10
5.0.11
5.0.12
5.0.13
5.0.14
5.0.15
5.0.16
5.1.0
5.1.1
5.1.2
5.1.3
5.1.4
5.1.5
5.1.6
5.2.0
5.2.1
5.2.2
5.3.0
5.3.1
5.3.2
5.4.0
5.4.1
5.4.2
5.5.0
5.5.1
5.6.0
5.6.1
5.6.2
5.7.0
5.7.1
5.8.0
5.8.1
5.8.2
5.9.0
5.9.1
5.9.2
5.10.0
5.10.1
5.10.2
5.10.3
5.10.4
5.10.5
5.10.6
5.10.7
5.10.8
5.10.9
6.*
6.0.0
6.0.1
6.0.2
6.0.3
6.1.0
6.1.1
6.1.2
6.2.0
6.3.0
6.3.1
6.3.2
6.4.0
6.4.1
6.4.2
6.5.0
6.5.1
6.6.0
6.6.1
6.6.2
6.7.0
6.7.1
6.7.2
6.7.3
6.8.0
6.8.1
6.8.2
6.8.3
6.8.4
6.8.5
6.8.6
7.*
7.0.0
7.0.1
7.1.0
7.1.1
7.1.2
7.2.0
7.2.1
7.3.0
7.4.0
7.4.1
7.5.0
7.5.1
7.6.0
7.6.1
7.7.0
7.7.1
7.7.2
7.8.0
7.9.0
7.9.1
7.9.2
7.9.3
8.*
8.0.0
8.0.1
8.0.2
8.1.0
8.1.1
8.1.2
8.2.0
8.2.1
8.2.2
8.3.0
8.3.1
8.3.2
8.4.0
8.5.0
8.5.1
8.6.0
tinymce/tinymce
Package
- Name
- tinymce/tinymce
- Purl
- pkg:composer/tinymce%2Ftinymce
Affected versions
6.*
6.0.0
6.0.1
6.0.2
6.0.3
6.1.0
6.1.1
6.1.2
6.2.0
6.3.0
6.3.1
6.3.2
6.4.0
6.4.1
6.4.2
6.5.0
6.5.1
6.6.0
6.6.1
6.6.2
6.7.0
6.7.1
6.7.2
6.7.3
6.8.0
6.8.1
6.8.2
6.8.3
6.8.4
6.8.5
6.8.6
7.*
7.0.0
7.0.1
7.1.0
7.1.1
7.1.2
7.2.0
7.2.1
7.3.0
7.4.0
7.4.1
7.5.0
7.5.1
7.6.0
7.6.1
7.7.0
7.7.1
7.7.2
7.8.0
7.9.0
7.9.1
7.9.2