Fluid Attacks Database

Description

TinyMCE Cross-Site Scripting (XSS) vulnerability using through data-mce- prefixed src, href, style attributes

Impact

Stored XSS vulnerability via unsanitized data-mce-* attributes (data-mce-href, data-mce-src, data-mce-style). Allows attackers to inject malicious values that override safe attributes during serialization, bypassing validation.

Patches

Patched by stripping unsafe data-mce-* attributes during parsing. Users should upgrade to the latest patched versions (5 LTS, 7.x, 8.x).

Workarounds

No official workaround available.

Fix

To avoid this vulnerability:

Upgrade to TinyMCE 8.5.1 or higher. Upgrade to TinyMCE 7.9.3 or higher. Upgrade to TinyMCE 5.11.1 LTS or higher for TinyMCE 5.x (only available as part of commercial long-term support contract).

Acknowledgements

Tiny thanks Tadi Kadango (website) and Ivan Babenko for their help identifying this vulnerability.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
nuget	tinymce	>=0 <5.11.1 \|\| >=6.0.0 <7.9.3 \|\| >=8.0.0 <8.5.1	5.11.1, 7.9.3, 8.5.1
packagist	tinymce/tinymce	>=0 <5.11.1 \|\| >=6.0.0 <7.9.3 \|\| >=8.0.0 <8.5.1	7.9.3, 8.5.1
npm	tinymce	>=0 <5.11.1 \|\| >=6.0.0 <7.9.3 \|\| >=8.0.0 <8.5.1	7.9.3, 8.5.1

Aliases

1. CVE-2026-477592. NVD-2026-477593. OSV-2026-477594. GHSA-q742-qvgc-gc2f5. GCVE-2026-47759

References

1. https://github.com/tinymce/tinymce/security/advisories/GHSA-q742-qvgc-gc2f2. https://www.tiny.cloud/docs/tinymce/7/7.9.3-release-notes/#overview3. https://www.tiny.cloud/docs/tinymce/8/8.5.1-release-notes/#overview