CVE-2026-47761: CVE-2026-47761: Stored Cross-Site Scripting in TinyMCE Media Plugin

CVE-2026-47761: Stored Cross-Site Scripting in TinyMCE Media Plugin

Vulnerability ID: CVE-2026-47761
CVSS Score: 8.7
Published: 2026-06-05

TinyMCE prior to versions 5.11.1, 7.9.3, and 8.5.1 is vulnerable to a Stored Cross-Site Scripting (XSS) vulnerability. The flaw exists in the media plugin, which fails to properly validate and sanitize custom placeholder attributes starting with 'data-mce-*' during HTML deserialization. An attacker with content-editing permissions can exploit this vulnerability to execute arbitrary JavaScript within the session of another user who views the compiled content.

TL;DR

An input validation flaw in TinyMCE's media plugin allows stored cross-site scripting via unvalidated data-mce-* attributes that bypass standard HTML filters.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-79
• Attack Vector: Network
• CVSS Base Score: 8.7
• Exploit Status: poc
• Impact: Stored Cross-Site Scripting (XSS)
• KEV Status: Not Listed

Affected Systems

• TinyMCE text editor deployments with media plugin enabled
• TinyMCE: < 5.11.1 (Fixed in: 5.11.1)
• TinyMCE: 6.0.0 to 6.8.6 (Fixed in: 7.9.3 (Upgrade required))
• TinyMCE: 7.0.0 to < 7.9.3 (Fixed in: 7.9.3)
• TinyMCE: 8.0.0 to < 8.5.1 (Fixed in: 8.5.1)

Exploit Details

• GitHub Security Advisory: Documented conceptual bypass vectors using custom media placeholder markup.

Mitigation Strategies

• Upgrade to patched versions of TinyMCE (5.11.1, 7.9.3, or 8.5.1)
• Disable the media plugin if rich-media nesting is not required
• Configure backend HTML sanitization filters to explicitly block 'data-mce-' attributes

Remediation Steps:

1. Identify all web applications using TinyMCE components
2. Update dependencies or self-hosted assets to the appropriate patched version
3. Verify the media plugin is either disabled or updated by loading test placeholders
4. Apply backend validation constraints on rich-text input targets to intercept nested event payloads

References

• GitHub Advisory GHSA-vg35-5wq7-3x7w
• NVD CVE-2026-47761 Record
• CVE.org CVE-2026-47761 Record

---

Read the full report for CVE-2026-47761 on our website for more details including interactive diagrams and full exploit analysis.