logo

Database

Reflected cross-site scripting (XSS) In tinymce

Description

TinyMCE Cross-Site Scripting (XSS) vulnerability using sanitization bypass through nested SVGs

Impact

TinyMCE 6.8.x contains an XSS vulnerability caused by improper SVG namespace scope handling in the sanitizer. A crafted payload using nested elements can bypass attribute sanitization and execute arbitrary JavaScript.

Patches

This issue affects TinyMCE 6.8.x-7.0.x. The vulnerability is fixed in TinyMCE 7.1.0 and later.

Workarounds

No official workaround available.

Acknowledgements

Tiny thanks maple3142 (https://maple3142.net) of DEVCORE for their help identifying this vulnerability.

References

Fix introduced in TinyMCE 7.1.0 though a rewrite of code causing the vulnerability.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-477602. NVD-2026-477603. OSV-2026-477604. GHSA-mh5m-5hw4-5c695. GCVE-2026-47760

References

1. https://github.com/tinymce/tinymce/security/advisories/GHSA-mh5m-5hw4-5c69

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.