Vulnerability intelligence

CVE-2026-47762

TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via forged mce:protected comments. Allows attackers to bypass sanitization and inject scripts that execute when content is restored. Impacts users who utilize the protect option. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1.

CVSS Score

8.7

High

EPSS — Exploit Probability

0.0%

Riskier than 10% of all CVEs

Exploitation

Not in CISA KEV

No federal exploitation record

Remediation

Patch available

Vendor fix published

NVD entry Vendor patch PoC / advisory

1 article across 1 outlet · first covered Jun 10, 2026 · latest Jun 10, 2026

Coverage timeline

TinyMCE Flaws Allow Remote Script Injection, Patches Urged
securityonline.info · Jun 10, 2026