← voltar
CVE-2026-47761

TinyMCE Cross-Site Scripting (XSS) vulnerability using media plugin `data-mce-object` injection

CVSS 8.7 HIGHEPSS 0.2%CWE-79
TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability in the media plugin. Attackers can inject malicious scripts via crafted data-mce-* attributes, which are executed when content is rendered. Impacts users of TinyMCE with the media plugin enabled. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Produtos afetados
tinymce · tinymce

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://github.com/tinymce/tinymce/security/advisories/GHSA-vg35-5wq7-3x7whttps://www.tiny.cloud/docs/tinymce/7/7.9.3-release-notes/#overviewhttps://www.tiny.cloud/docs/tinymce/8/8.5.1-release-notes/#overview