Fluid Attacks Database

Description

TinyMCE Cross-Site Scripting (XSS) vulnerability through mce:protected comments

Impact

Stored XSS vulnerability via forged mce:protected comments. Allows attackers to bypass sanitization and inject scripts that execute when content is restored. Impacts users who utilize the protect option.

Patches

Patched by validating decoded mce:protected content against configured protect regex rules before restoring. Users should upgrade to the latest patched version.

Workarounds

No official workaround available.

Fix

To avoid this vulnerability:

Upgrade to TinyMCE 8.5.1 or higher. Upgrade to TinyMCE 7.9.3 or higher. Upgrade to TinyMCE 5.11.1 LTS or higher for TinyMCE 5.x (only available as part of commercial long-term support contract).

Acknowledgements

Tiny thanks Ivan Babenko for their help identifying this vulnerability.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
nuget	tinymce	>=0 <5.11.1 \|\| >=6.0.0 <7.9.3 \|\| >=8.0.0 <8.5.1	7.9.3, 8.5.1
packagist	tinymce/tinymce	>=0 <5.11.1 \|\| >=6.0.0 <7.9.3 \|\| >=8.0.0 <8.5.1	7.9.3, 8.5.1
npm	tinymce	>=0 <5.11.1 \|\| >=6.0.0 <7.9.3 \|\| >=8.0.0 <8.5.1	7.9.3, 8.5.1

Aliases

1. CVE-2026-477622. NVD-2026-477623. OSV-2026-477624. GHSA-v98h-vmpc-fpqv5. GCVE-2026-47762

References

1. https://github.com/tinymce/tinymce/security/advisories/GHSA-v98h-vmpc-fpqv2. https://www.tiny.cloud/docs/tinymce/7/7.9.3-release-notes/#overview3. https://www.tiny.cloud/docs/tinymce/8/8.5.1-release-notes/#overview