CVE-2026-47760: CVE-2026-47760: Cross-Site Scripting (XSS) via SVG Namespace Sanitizer Bypass in TinyMCE

CVE-2026-47760: Cross-Site Scripting (XSS) via SVG Namespace Sanitizer Bypass in TinyMCE

Vulnerability ID: CVE-2026-47760
CVSS Score: 8.7
Published: 2026-06-05

TinyMCE versions 6.8.0 through 7.0.1 contain a high-severity Cross-Site Scripting (XSS) vulnerability. The flaw exists in the custom HTML parser and sanitizer module, which incorrectly manages SVG namespace scopes when parsing nested elements. A low-privileged or unauthenticated attacker can submit a crafted HTML payload containing nested SVG structures to bypass sanitization filters, leading to arbitrary JavaScript execution in the context of the victim's browser session.

TL;DR

A high-severity Cross-Site Scripting (XSS) vulnerability (CVSS 8.7) in TinyMCE (versions >= 6.8.0, < 7.1.0) allows attackers to bypass HTML sanitization using nested SVGs and execute arbitrary JavaScript code inside a victim's browser.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-79
• Attack Vector: Network
• CVSS v3.1 Score: 8.7
• EPSS Score: 0.00033
• Exploit Status: poc
• KEV Status: Not Listed

Affected Systems

• TinyMCE core editor library
• tinymce npm package
• TinyMCE NuGet package
• tinymce/tinymce Packagist package
• TinyMCE: >= 6.8.0, < 7.1.0 (Fixed in: 7.1.0)

Mitigation Strategies

• Upgrade TinyMCE to version 7.1.0 or later to ensure complete protection.
• Expose strict custom schemas inside TinyMCE initialization to drop SVG elements if upgrades are delayed.
• Deploy robust server-side sanitization filters running HTML5 spec-compliant parsers.

Remediation Steps:

1. Identify all web-accessible instances of TinyMCE within the application architecture.
2. Check the version registry via project dependencies (package.json, Composer, or NuGet configurations).
3. Update the dependency to version 7.1.0 or later using the appropriate package manager command.
4. If immediate upgrade is impossible, implement the 'invalid_elements' config option in the tinymce.init sequence to block SVG parsing.

References

• GitHub Security Advisory GHSA-mh5m-5hw4-5c69
• NVD - CVE-2026-47760 Detail
• CVE.org Record
• TinyMCE Primary GitHub Repository
• Wiz Vulnerability Database Reference
• Security Researcher Profile (maple3142)
• maple3142 Technical Blog

---

Read the full report for CVE-2026-47760 on our website for more details including interactive diagrams and full exploit analysis.