DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-47762: CVE-2026-47762: Stored Cross-Site Scripting (XSS) in TinyMCE Protect Pattern Restoration

#security #cve #cybersecurity

CVE-2026-47762: Stored Cross-Site Scripting (XSS) in TinyMCE Protect Pattern Restoration

Vulnerability ID: CVE-2026-47762
CVSS Score: 8.7
Published: 2026-06-05

A high-severity stored Cross-Site Scripting (XSS) vulnerability was identified in the TinyMCE rich text editor. The flaw exists in the handling of the 'protect' configuration option, where forged placeholder comments containing malicious payloads bypass the editor's sanitization routines and execute arbitrary JavaScript during serialization and content restoration.

TL;DR

A stored XSS vulnerability in TinyMCE prior to 5.11.1, 7.9.3, and 8.5.1 allows low-privileged users to execute arbitrary scripts in the browsers of administrators or other users by injecting a forged 'mce:protected' comment.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-79
  • Attack Vector: Network (AV:N)
  • CVSS Score: 8.7 (High)
  • EPSS Score: 0.00032
  • Impact: Stored Cross-Site Scripting (XSS) / Privilege Escalation
  • Exploit Status: Proof-of-Concept (PoC) available
  • KEV Status: Not currently listed

Affected Systems

  • TinyMCE
  • TinyMCE: < 5.11.1 (Fixed in: 5.11.1)
  • TinyMCE: >= 6.0.0, <= 6.8.6 (Fixed in: None (Upgrade to 7.9.3 or 8.5.1))
  • TinyMCE: >= 7.0.0, < 7.9.3 (Fixed in: 7.9.3)
  • TinyMCE: >= 8.0.0, < 8.5.1 (Fixed in: 8.5.1)

Mitigation Strategies

  • Upgrade TinyMCE to 5.11.1 (LTS), 7.9.3, or 8.5.1 or newer.
  • Disable the 'protect' setting entirely if non-standard markup preservation is not required.
  • Strip HTML comments from user-supplied inputs on the server side prior to database storage.

Remediation Steps:

  1. Identify all applications utilizing TinyMCE and check the active version.
  2. Upgrade the package manager dependencies (npm, NuGet, or Composer) to the respective fixed version.
  3. Verify the editor configuration to determine if the 'protect' option is enabled.
  4. Implement server-side comment removal filters within the application's sanitization library.
  5. Deploy a robust Content Security Policy (CSP) to restrict inline script execution.

References

Read the full report for CVE-2026-47762 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)