CVE-2026-47762
- EPSS 0.24%
- Veröffentlicht 28.05.2026 15:21:36
- Zuletzt bearbeitet 28.05.2026 19:18:01
TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via forged mce:protected comments. Allows attackers to bypass sanitization and inject scripts that execute when content is restored. Im...
CVE-2026-47761
- EPSS 0.22%
- Veröffentlicht 28.05.2026 15:20:57
- Zuletzt bearbeitet 28.05.2026 19:18:37
TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability in the media plugin. Attackers can inject malicious scripts via crafted data-mce-* attributes, which are executed when content is rende...
CVE-2026-47759
- EPSS 0.24%
- Veröffentlicht 28.05.2026 15:20:11
- Zuletzt bearbeitet 28.05.2026 19:19:37
TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via unsanitized data-mce-* attributes (data-mce-href, data-mce-src, data-mce-style). Allows attackers to inject malicious values that o...
CVE-2026-47760
- EPSS 0.19%
- Veröffentlicht 28.05.2026 15:18:22
- Zuletzt bearbeitet 28.05.2026 19:19:03
TinyMCE is an open source rich text editor. From 6.8.0 to before 7.1.0, TinyMCE contains an XSS vulnerability caused by improper SVG namespace scope handling in the sanitizer. A crafted payload using nested elements can bypass attribute sanitization ...
CVE-2024-29881
- EPSS 0.72%
- Veröffentlicht 26.03.2024 14:15:09
- Zuletzt bearbeitet 02.09.2025 16:17:16
TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content loading and content inserting code. A SVG image could be loaded though an `object` or `embed` element and that image could pot...
CVE-2024-29203
- EPSS 0.72%
- Veröffentlicht 26.03.2024 14:15:08
- Zuletzt bearbeitet 02.09.2025 16:20:29
TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content insertion code. This allowed `iframe` elements containing malicious code to execute when inserted into the editor. These `ifr...
CVE-2024-21910
- EPSS 0.96%
- Veröffentlicht 03.01.2024 16:15:09
- Zuletzt bearbeitet 28.11.2025 16:15:51
TinyMCE versions before 5.10.0 are affected by a cross-site scripting vulnerability. A remote and unauthenticated attacker could introduce crafted image or link URLs that would result in the execution of arbitrary JavaScript in an editing user's brow...
CVE-2024-21911
- EPSS 1.17%
- Veröffentlicht 03.01.2024 16:15:09
- Zuletzt bearbeitet 11.06.2025 17:15:40
TinyMCE versions before 5.6.0 are affected by a stored cross-site scripting vulnerability. An unauthenticated and remote attacker could insert crafted HTML into the editor resulting in arbitrary JavaScript execution in another user's browser.
CVE-2024-21908
- EPSS 1.07%
- Veröffentlicht 03.01.2024 16:15:08
- Zuletzt bearbeitet 28.11.2025 16:15:50
TinyMCE versions before 5.9.0 are affected by a stored cross-site scripting vulnerability. An unauthenticated and remote attacker could insert crafted HTML into the editor resulting in arbitrary JavaScript execution in another user's browser.
CVE-2023-48219
- EPSS 0.72%
- Veröffentlicht 15.11.2023 19:15:07
- Zuletzt bearbeitet 21.11.2024 08:31:14
TinyMCE is an open source rich text editor. A mutation cross-site scripting (mXSS) vulnerability was discovered in TinyMCE’s core undo/redo functionality and other APIs and plugins. Text nodes within specific parents are not escaped upon serializatio...