CVE-2026-47759: CVE-2026-47759: Stored Cross-Site Scripting (XSS) via Unsanitized data-mce-* Serialization Bypass in TinyMCE

CVE-2026-47759: Stored Cross-Site Scripting (XSS) via Unsanitized data-mce-* Serialization Bypass in TinyMCE

Vulnerability ID: CVE-2026-47759
CVSS Score: 8.7
Published: 2026-06-05

CVE-2026-47759 is a critical stored Cross-Site Scripting (XSS) vulnerability affecting multiple active branches of the TinyMCE rich text editor. The flaw resides in the editor's handling of user-controlled, prefixed internal attributes, such as data-mce-href, data-mce-src, and data-mce-style. When processing raw HTML inputs, TinyMCE's internal validation schema neglects to inspect these custom prefixed attributes. During HTML serialization, the editor's engine extracts these unsanitized values and copies them back into standard executable attributes, overwriting any previously sanitized standard values and leading to execution of arbitrary code.

TL;DR

Unsanitized data-mce-* attributes in TinyMCE allow attackers to bypass HTML sanitization filters, injecting stored XSS payloads that execute during output serialization.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-79 (Improper Neutralization of Input During Web Page Generation)
• Attack Vector: Network (AV:N)
• CVSS Base Score: 8.7
• Exploit Status: Proof-of-Concept (PoC) Feasible
• Impact: Stored Cross-Site Scripting (XSS) / Execution of Arbitrary Script
• KEV Status: Not Listed

Affected Systems

• Web applications incorporating TinyMCE rich text editor
• TinyMCE: < 5.11.1 (Fixed in: 5.11.1)
• TinyMCE: >= 6.0.0, <= 6.8.6 (Fixed in: None (Upgrade to 7.9.3 / 8.5.1))
• TinyMCE: >= 7.0.0, < 7.9.3 (Fixed in: 7.9.3)
• TinyMCE: >= 8.0.0, < 8.5.1 (Fixed in: 8.5.1)

Mitigation Strategies

• Upgrade TinyMCE to patched release versions (5.11.1, 7.9.3, or 8.5.1).
• Explicitly filter and strip all data-mce-* prefixed attributes on the server side prior to database insertion.
• Deploy a restrictive Content Security Policy (CSP) that blocks inline script execution.
• Implement server-side input validation using robust libraries such as DOMPurify or Bleach.

Remediation Steps:

1. Identify all application entry points and dependencies referencing the TinyMCE rich text editor.
2. Determine the active version of TinyMCE deployed in production.
3. If running TinyMCE 6.x, plan and execute a migration to a supported active branch (7.x or 8.x).
4. Apply the appropriate vendor security patch: 5.11.1, 7.9.3, or 8.5.1.
5. Integrate a server-side sanitization step in backend controller logic to filter custom data-mce-* attributes from incoming rich text inputs.
6. Review and verify that Content Security Policy (CSP) headers are active and restrict inline script execution.

References

• GitHub Security Advisory GHSA-q742-qvgc-gc2f
• TinyMCE 7.9.3 Release Notes
• TinyMCE 8.5.1 Release Notes
• CVE-2026-47759 CVE Record
• Wiz Vulnerability Database - CVE-2026-47759

---

Read the full report for CVE-2026-47759 on our website for more details including interactive diagrams and full exploit analysis.