GHSA-mh5m-5hw4-5c69HighCVSS 8.7

TinyMCE Cross-Site Scripting (XSS) vulnerability using sanitization bypass through nested SVGs

Published
June 5, 2026
Last Modified
June 5, 2026

🔗 CVE IDs covered (1)

📋 Description

Impact

TinyMCE 6.8.x contains an XSS vulnerability caused by improper SVG namespace scope handling in the sanitizer. A crafted payload using nested elements can bypass attribute sanitization and execute arbitrary JavaScript.

Patches

This issue affects TinyMCE 6.8.x-7.0.x. The vulnerability is fixed in TinyMCE 7.1.0 and later.

Workarounds

No official workaround available.

Acknowledgements

Tiny thanks maple3142 (https://maple3142.net) of DEVCORE for their help identifying this vulnerability.

References

Fix introduced in TinyMCE 7.1.0 though a rewrite of code causing the vulnerability.

🎯 Affected products3

  • npm/tinymce:>= 6.8.0, < 7.1.0
  • nuget/TinyMCE:>= 6.8.0, < 7.1.0
  • composer/tinymce/tinymce:>= 6.8.0, < 7.1.0

🔗 References (3)