← Back
2026-05-28 15:18CVE-2026-47760GitHub_M
PUBLISHED5.2CWE-79

TinyMCE Cross-Site Scripting (XSS) vulnerability using sanitization bypass through nested SVGs

TinyMCE is an open source rich text editor. From 6.8.0 to before 7.1.0, TinyMCE contains an XSS vulnerability caused by improper SVG namespace scope handling in the sanitizer. A crafted payload using nested elements can bypass attribute sanitization and execute arbitrary JavaScript. This vulnerability is fixed in 7.1.0.

Problem type

Affected products

tinymce

tinymce

>= 6.0.0, < 7.1.0 - AFFECTED

References

https://github.com/tinymce/tinymce/security/advisories/GHSA-mh5m-5hw4-5c69

https://github.com/tinymce/tinymce/security/advisories/GHSA-mh5m-5hw4-5c69

x_refsource_CONFIRM

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-47760
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-47760",
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "dateUpdated": "2026-05-28T15:18:22.509Z",
    "dateReserved": "2026-05-19T22:36:16.881Z",
    "datePublished": "2026-05-28T15:18:22.509Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M",
        "dateUpdated": "2026-05-28T15:18:22.509Z"
      },
      "title": "TinyMCE Cross-Site Scripting (XSS) vulnerability using sanitization bypass through nested SVGs",
      "descriptions": [
        {
          "lang": "en",
          "value": "TinyMCE is an open source rich text editor. From 6.8.0 to before 7.1.0, TinyMCE contains an XSS vulnerability caused by improper SVG namespace scope handling in the sanitizer. A crafted payload using nested elements can bypass attribute sanitization and execute arbitrary JavaScript. This vulnerability is fixed in 7.1.0."
        }
      ],
      "affected": [
        {
          "vendor": "tinymce",
          "product": "tinymce",
          "versions": [
            {
              "version": ">= 6.0.0, < 7.1.0",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
              "cweId": "CWE-79",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://github.com/tinymce/tinymce/security/advisories/GHSA-mh5m-5hw4-5c69",
          "name": "https://github.com/tinymce/tinymce/security/advisories/GHSA-mh5m-5hw4-5c69",
          "tags": [
            "x_refsource_CONFIRM"
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
            "attackVector": "NETWORK",
            "attackComplexity": "LOW",
            "privilegesRequired": "LOW",
            "userInteraction": "REQUIRED",
            "scope": "CHANGED",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "availabilityImpact": "NONE",
            "baseScore": 8.7,
            "baseSeverity": "HIGH"
          }
        }
      ]
    }
  }
}