Vulnerability intelligence

CVE-2026-47760

TinyMCE is an open source rich text editor. From 6.8.0 to before 7.1.0, TinyMCE contains an XSS vulnerability caused by improper SVG namespace scope handling in the sanitizer. A crafted payload using nested elements can bypass attribute sanitization and execute arbitrary JavaScript. This vulnerability is fixed in 7.1.0.

CVSS Score

8.7

High

EPSS — Exploit Probability

0.0%

Riskier than 10% of all CVEs

Exploitation

Not in CISA KEV

No federal exploitation record

Remediation

Patch available

Vendor fix published

NVD entry Vendor patch PoC / advisory

1 article across 1 outlet · first covered Jun 10, 2026 · latest Jun 10, 2026

Coverage timeline

TinyMCE Flaws Allow Remote Script Injection, Patches Urged
securityonline.info · Jun 10, 2026