Vulnerability intelligence

CVE-2026-47761

TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability in the media plugin. Attackers can inject malicious scripts via crafted data-mce-* attributes, which are executed when content is rendered. Impacts users of TinyMCE with the media plugin enabled. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1.

CVSS Score

8.7

High

EPSS — Exploit Probability

0.0%

Riskier than 10% of all CVEs

Exploitation

Not in CISA KEV

No federal exploitation record

Remediation

Patch available

Vendor fix published

NVD entry Vendor patch PoC / advisory

1 article across 1 outlet · first covered Jun 10, 2026 · latest Jun 10, 2026

Coverage timeline

TinyMCE Flaws Allow Remote Script Injection, Patches Urged
securityonline.info · Jun 10, 2026