GHSA-vg35-5wq7-3x7wHighCVSS 8.7

TinyMCE Cross-Site Scripting (XSS) vulnerability using media plugin `data-mce-object` injection

Published
June 5, 2026
Last Modified
June 30, 2026

🔗 CVE IDs covered (1)

📋 Description

Impact

Stored XSS vulnerability in the media plugin. Attackers can inject malicious scripts via crafted data-mce-* attributes, which are executed when content is rendered. Impacts users of TinyMCE with the media plugin enabled.

Patches

This vulnerability has been patched in TinyMCE 8.5.1, TinyMCE 7.9.3 and TinyMCE 5.11.1 LTS by ensuring that, when using the media plugin, any content with data-mce-object and data-mce-p-* attributes are properly sanitized.

Workarounds

No official workaround available.

Fix

To avoid this vulnerability:

  • Upgrade to TinyMCE 8.5.1 or higher.
  • Upgrade to TinyMCE 7.9.3 or higher.
  • Upgrade to TinyMCE 5.11.1 LTS or higher for TinyMCE 5.x (only available as part of commercial long-term support contract).

Acknowledgements

Tiny thanks Aymane MAZGUITI and Ange Primiterra for their help identifying this vulnerability.

🎯 Affected products9

  • npm/tinymce:>= 6.0.0, < 7.9.3
  • npm/tinymce:>= 8.0.0, < 8.5.1
  • nuget/TinyMCE:>= 6.0.0, < 7.9.3
  • nuget/TinyMCE:>= 8.0.0, < 8.5.1
  • composer/tinymce/tinymce:>= 6.0.0, < 7.9.3
  • composer/tinymce/tinymce:>= 8.0.0, < 8.5.1
  • npm/tinymce:> 0, <= 5.10.9
  • nuget/TinyMCE:> 0, <= 5.10.9
  • composer/tinymce/tinymce:> 0, <= 5.10.9

🔗 References (5)