Vulnerability intelligence

CVE-2026-47759

TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via unsanitized data-mce-* attributes (data-mce-href, data-mce-src, data-mce-style). Allows attackers to inject malicious values that override safe attributes during serialization, bypassing validation. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1.

CVSS Score

8.7

High

EPSS — Exploit Probability

0.0%

Riskier than 10% of all CVEs

Exploitation

Not in CISA KEV

No federal exploitation record

Remediation

Patch available

Vendor fix published

NVD entry Vendor patch PoC / advisory

1 article across 1 outlet · first covered Jun 10, 2026 · latest Jun 10, 2026

Coverage timeline

TinyMCE Flaws Allow Remote Script Injection, Patches Urged
securityonline.info · Jun 10, 2026