{"id":"CVE-2024-21911","details":"TinyMCE versions before 5.6.0 are affected by a stored cross-site scripting vulnerability. An unauthenticated and remote attacker could insert crafted HTML into the editor resulting in arbitrary JavaScript execution in another user's browser.","aliases":["GHSA-w7jx-j77m-wp65"],"modified":"2026-04-10T05:09:01.838645Z","published":"2024-01-03T16:15:09.170Z","related":["GHSA-w7jx-j77m-wp65"],"references":[{"type":"ADVISORY","url":"https://vulncheck.com/advisories/vc-advisory-GHSA-w7jx-j77m-wp65"},{"type":"ADVISORY","url":"https://www.npmjs.com/package/tinymce"},{"type":"ADVISORY","url":"https://www.tiny.cloud/docs/release-notes/release-notes56/#securityfixes"},{"type":"EVIDENCE","url":"https://github.com/advisories/GHSA-w7jx-j77m-wp65"},{"type":"EVIDENCE","url":"https://github.com/tinymce/tinymce/security/advisories/GHSA-w7jx-j77m-wp65"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/tinymce/tinymce","events":[{"introduced":"0"},{"fixed":"a089f0a57a6c02f2e5eddbb132d4d3ae669b108b"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"5.6.0"}]}}],"versions":["2.0.7","2.0.9","2.1.1","2.1.2","3.0","3.0.1","3.0.2","3.0.2.1","3.0.3","3.0.4","3.0.5","3.0.6","3.0.7","3.0.9","3.0rc1","3.0rc2","3.1.0","3.2","3.2.0.2","3.2.1","3.2.1.1","3.2.2","3.2.2.1","3.2.2.2","3.2.3","3.2.6","3.2.7","3.3","3.3.1","3.3.2","3.3.3","3.3.4","3.3.5","3.3.6","3.3.7","3.3.8","3.3.9","3.3.9.1","3.3.9.2","3.3b1","3.3b2","3.3rc1","3.4","3.4.1","3.4.2","3.4.3","3.4.3.1","3.4.3.2","3.4.4","3.4.5","3.4.6","3.4.7","3.4.8","3.4.9","3.4b1","3.4b2","3.4b3","3.5","3.5.0.1","3.5.1","3.5.1.1","3.5.2","3.5.3","3.5.3.1","3.5.4","3.5.4.1","3.5.5","3.5.6","3.5.7","3.5.8","4.0","4.0.1","4.0.10","4.0.11","4.0.12","4.0.13","4.0.14","4.0.15","4.0.16","4.0.17","4.0.18","4.0.19","4.0.2","4.0.20","4.0.21","4.0.22","4.0.23","4.0.24","4.0.25","4.0.26","4.0.27","4.0.28","4.0.3","4.0.4","4.0.5","4.0.6","4.0.7","4.0.8","4.0.9","4.0b1","4.0b2","4.0b3","4.1.0","4.1.1","4.1.10","4.1.2","4.1.3","4.1.4","4.1.5","4.1.6","4.1.7","4.1.8","4.1.9","4.2.0","4.2.1","4.2.2","4.2.3","4.2.4","4.2.5","4.2.6","4.2.7","4.3.0","4.3.1","4.3.10","4.3.11","4.3.12","4.3.13","4.3.2","4.3.3","4.3.4","4.3.6","4.3.7","4.3.8","4.3.9","4.4.0","4.4.1","4.4.2","4.4.3","4.5.0","4.5.1","4.5.2","4.5.3","4.6.0","4.6.1","4.6.2","4.6.3","4.6.4","4.6.5","4.6.6","4.6.7","4.7.0","4.7.1","4.7.10","4.7.11","4.7.12","4.7.13","4.7.2","4.7.3","4.7.4","4.7.5","4.7.6","4.7.7","4.7.8","4.7.9","4.8.0","4.8.1","4.8.2","4.8.3","5.0.0","5.0.1","5.0.10","5.0.11","5.0.12","5.0.13","5.0.14","5.0.15","5.0.2","5.0.3","5.0.4","5.0.5","5.0.6","5.0.7","5.0.8","5.3.0","5.4.0","5.5.0","5.5.1","@ephox/acid@1.0.14","@ephox/acid@1.0.15","@ephox/acid@1.0.17","@ephox/acid@1.0.18","@ephox/acid@1.0.19","@ephox/acid@1.0.20","@ephox/acid@1.0.21","@ephox/acid@1.0.22","@ephox/acid@1.0.23","@ephox/acid@1.0.24","@ephox/acid@1.0.25","@ephox/acid@1.0.26","@ephox/acid@1.0.27","@ephox/acid@1.0.28","@ephox/acid@1.0.29","@ephox/acid@1.0.30","@ephox/acid@1.0.31","@ephox/acid@1.0.32","@ephox/acid@1.0.33","@ephox/acid@1.0.34","@ephox/acid@1.0.35","@ephox/acid@1.0.36","@ephox/acid@1.0.37","@ephox/acid@1.0.38","@ephox/acid@1.0.39","@ephox/acid@1.0.40","@ephox/acid@1.0.41","@ephox/acid@1.0.42","@ephox/acid@1.0.43","@ephox/acid@1.0.44","@ephox/acid@1.0.45","@ephox/acid@1.0.75","@ephox/acid@1.0.78","@ephox/acid@2.0.1","@ephox/agar@4.13.10","@ephox/agar@4.13.11","@ephox/agar@4.13.12","@ephox/agar@4.13.13","@ephox/agar@4.13.14","@ephox/agar@4.13.15","@ephox/agar@4.13.16","@ephox/agar@4.13.17","@ephox/agar@4.13.18","@ephox/agar@4.13.19","@ephox/agar@4.13.20","@ephox/agar@4.13.21","@ephox/agar@4.13.22","@ephox/agar@4.13.23","@ephox/agar@4.13.24","@ephox/agar@4.13.25","@ephox/agar@4.13.26","@ephox/agar@4.13.27","@ephox/agar@4.13.28","@ephox/agar@4.13.29","@ephox/agar@4.13.30","@ephox/agar@4.13.31","@ephox/agar@4.13.32","@ephox/agar@4.13.33","@ephox/agar@4.13.6","@ephox/agar@4.13.7","@ephox/agar@4.13.9","@ephox/agar@4.15.5","@ephox/agar@4.16.1","@ephox/agar@5.0.1","@ephox/alloy@4.12.5","@ephox/alloy@4.12.6","@ephox/alloy@4.13.1","@ephox/alloy@4.13.2","@ephox/alloy@4.13.3","@ephox/alloy@4.13.4","@ephox/alloy@4.13.5","@ephox/alloy@4.13.6","@ephox/alloy@4.14.0","@ephox/alloy@4.14.1","@ephox/alloy@4.14.2","@ephox/alloy@4.14.3","@ephox/alloy@4.14.4","@ephox/alloy@4.15.0","@ephox/alloy@4.15.1","@ephox/alloy@4.15.10","@ephox/alloy@4.15.11","@ephox/alloy@4.15.12","@ephox/alloy@4.15.13","@ephox/alloy@4.15.14","@ephox/alloy@4.15.15","@ephox/alloy@4.15.16","@ephox/alloy@4.15.17","@ephox/alloy@4.15.2","@ephox/alloy@4.15.3","@ephox/alloy@4.15.4","@ephox/alloy@4.15.5","@ephox/alloy@4.15.6","@ephox/alloy@4.15.7","@ephox/alloy@4.15.8","@ephox/alloy@4.15.9","@ephox/alloy@7.0.1","@ephox/alloy@7.0.4","@ephox/alloy@8.0.1","@ephox/boss@3.0.17","@ephox/boss@3.0.18","@ephox/boss@3.0.20","@ephox/boss@3.0.21","@ephox/boss@3.0.22","@ephox/boss@3.0.23","@ephox/boss@3.0.24","@ephox/boss@3.0.25","@ephox/boss@3.0.26","@ephox/boss@3.0.27","@ephox/boss@3.0.28","@ephox/boss@3.0.29","@ephox/boss@3.0.30","@ephox/boss@3.0.31","@ephox/boss@3.0.32","@ephox/boss@3.0.33","@ephox/boss@3.0.34","@ephox/boss@3.0.35","@ephox/boss@3.0.36","@ephox/boss@3.0.37","@ephox/boss@3.1.5","@ephox/boss@3.1.7","@ephox/boss@4.0.1","@ephox/boulder@3.3.12","@ephox/boulder@3.3.13","@ephox/boulder@3.3.15","@ephox/boulder@3.3.16","@ephox/boulder@3.3.17","@ephox/boulder@3.3.18","@ephox/boulder@3.3.19","@ephox/boulder@3.3.20","@ephox/boulder@3.3.21","@ephox/boulder@3.3.22","@ephox/boulder@3.3.23","@ephox/boulder@3.3.24","@ephox/boulder@3.3.25","@ephox/boulder@3.3.26","@ephox/boulder@3.3.27","@ephox/boulder@3.3.28","@ephox/boulder@3.3.29","@ephox/boulder@4.0.5","@ephox/boulder@4.0.7","@ephox/boulder@5.0.1","@ephox/bridge@1.0.55","@ephox/bridge@1.0.56","@ephox/bridge@1.0.58","@ephox/bridge@1.0.59","@ephox/bridge@1.0.60","@ephox/bridge@1.0.61","@ephox/bridge@1.0.62","@ephox/bridge@1.0.63","@ephox/bridge@1.0.64","@ephox/bridge@1.0.65","@ephox/bridge@1.0.66","@ephox/bridge@1.0.67","@ephox/bridge@1.0.68","@ephox/bridge@1.0.69","@ephox/bridge@1.0.70","@ephox/bridge@1.0.71","@ephox/bridge@1.0.72","@ephox/bridge@1.0.73","@ephox/bridge@1.0.74","@ephox/bridge@1.0.75","@ephox/bridge@1.0.76","@ephox/bridge@1.0.77","@ephox/bridge@1.0.78","@ephox/bridge@1.2.1","@ephox/bridge@1.2.3","@ephox/bridge@2.0.1","@ephox/darwin@3.0.10","@ephox/darwin@3.0.11","@ephox/darwin@3.0.13","@ephox/darwin@3.0.14","@ephox/darwin@3.0.15","@ephox/darwin@3.0.16","@ephox/darwin@3.0.17","@ephox/darwin@3.0.18","@ephox/darwin@3.0.19","@ephox/darwin@3.0.20","@ephox/darwin@3.0.21","@ephox/darwin@3.0.22","@ephox/darwin@3.0.23","@ephox/darwin@3.0.24","@ephox/darwin@3.0.25","@ephox/darwin@3.0.26","@ephox/darwin@3.0.27","@ephox/darwin@3.0.28","@ephox/darwin@3.0.29","@ephox/darwin@3.0.30","@ephox/darwin@3.0.31","@ephox/darwin@3.0.32","@ephox/darwin@4.0.16","@ephox/darwin@4.0.18","@ephox/darwin@5.0.1","@ephox/darwin@5.0.2","@ephox/dragster@4.0.10","@ephox/dragster@4.0.12","@ephox/dragster@4.0.13","@ephox/dragster@4.0.14","@ephox/dragster@4.0.15","@ephox/dragster@4.0.16","@ephox/dragster@4.0.17","@ephox/dragster@4.0.18","@ephox/dragster@4.0.19","@ephox/dragster@4.0.20","@ephox/dragster@4.0.21","@ephox/dragster@4.0.22","@ephox/dragster@4.0.23","@ephox/dragster@4.0.24","@ephox/dragster@4.0.25","@ephox/dragster@4.0.26","@ephox/dragster@4.0.27","@ephox/dragster@4.0.28","@ephox/dragster@4.0.29","@ephox/dragster@4.0.48","@ephox/dragster@4.0.50","@ephox/dragster@4.0.9","@ephox/dragster@5.0.1","@ephox/echo@3.0.16","@ephox/echo@3.0.17","@ephox/echo@3.0.19","@ephox/echo@3.0.20","@ephox/echo@3.0.21","@ephox/echo@3.0.22","@ephox/echo@3.0.23","@ephox/echo@3.0.24","@ephox/echo@3.0.25","@ephox/imagetools@3.1.3","@ephox/imagetools@3.1.4","@ephox/imagetools@3.2.1","@ephox/imagetools@3.2.2","@ephox/imagetools@3.2.3","@ephox/imagetools@3.2.4","@ephox/imagetools@3.3.1","@ephox/imagetools@3.3.3","@ephox/imagetools@4.0.1","@ephox/jax@4.1.10","@ephox/jax@4.1.11","@ephox/jax@4.1.12","@ephox/jax@4.1.13","@ephox/jax@4.1.14","@ephox/jax@4.1.15","@ephox/jax@4.1.16","@ephox/jax@4.1.17","@ephox/jax@4.1.18","@ephox/jax@4.1.19","@ephox/jax@4.1.20","@ephox/jax@4.1.33","@ephox/jax@4.1.35","@ephox/jax@4.1.5","@ephox/jax@4.1.6","@ephox/jax@4.1.8","@ephox/jax@4.1.9","@ephox/jax@5.0.1","@ephox/katamari-assertions@1.0.6","@ephox/katamari-assertions@1.0.8","@ephox/katamari-assertions@2.0.1","@ephox/katamari@2.4.17","@ephox/katamari@2.4.18","@ephox/katamari@2.4.20","@ephox/katamari@2.4.21","@ephox/katamari@2.4.22","@ephox/katamari@2.4.23","@ephox/katamari@2.4.24","@ephox/katamari@2.4.25","@ephox/katamari@2.4.26","@ephox/katamari@2.4.27","@ephox/katamari@2.4.28","@ephox/katamari@2.5.0","@ephox/katamari@2.5.1","@ephox/katamari@2.5.2","@ephox/katamari@6.0.1","@ephox/katamari@6.1.1","@ephox/katamari@7.0.1","@ephox/mcagar@4.0.10","@ephox/mcagar@4.0.11","@ephox/mcagar@4.0.12","@ephox/mcagar@4.0.13","@ephox/mcagar@4.0.14","@ephox/mcagar@4.0.15","@ephox/mcagar@4.0.16","@ephox/mcagar@4.0.17","@ephox/mcagar@4.0.18","@ephox/mcagar@4.0.19","@ephox/mcagar@4.0.20","@ephox/mcagar@4.0.21","@ephox/mcagar@4.0.22","@ephox/mcagar@4.0.23","@ephox/mcagar@4.0.24","@ephox/mcagar@4.0.25","@ephox/mcagar@4.0.26","@ephox/mcagar@4.0.27","@ephox/mcagar@4.0.28","@ephox/mcagar@4.0.29","@ephox/mcagar@4.0.30","@ephox/mcagar@4.0.31","@ephox/mcagar@4.0.32","@ephox/mcagar@4.0.4","@ephox/mcagar@4.0.5","@ephox/mcagar@4.0.7","@ephox/mcagar@4.0.8","@ephox/mcagar@4.0.9","@ephox/mcagar@4.1.6","@ephox/mcagar@4.2.1","@ephox/mcagar@5.0.1","@ephox/phoenix@5.0.19","@ephox/phoenix@5.0.20","@ephox/phoenix@5.0.22","@ephox/phoenix@5.0.23","@ephox/phoenix@5.0.24","@ephox/phoenix@5.0.25","@ephox/phoenix@5.0.26","@ephox/phoenix@5.0.27","@ephox/phoenix@5.0.28","@ephox/phoenix@5.0.29","@ephox/phoenix@5.0.30","@ephox/phoenix@5.0.31","@ephox/phoenix@5.0.32","@ephox/phoenix@5.0.33","@ephox/phoenix@5.0.34","@ephox/phoenix@5.0.35","@ephox/phoenix@5.0.36","@ephox/phoenix@5.0.37","@ephox/phoenix@5.0.38","@ephox/phoenix@5.0.39","@ephox/phoenix@5.1.6","@ephox/phoenix@5.1.8","@ephox/phoenix@6.0.1","@ephox/polaris@3.0.21","@ephox/polaris@3.0.22","@ephox/polaris@3.0.24","@ephox/polaris@3.0.25","@ephox/polaris@3.0.26","@ephox/polaris@3.0.27","@ephox/polaris@3.0.28","@ephox/polaris@3.0.29","@ephox/polaris@3.0.30","@ephox/polaris@3.0.31","@ephox/polaris@3.0.32","@ephox/polaris@3.0.33","@ephox/polaris@3.0.34","@ephox/polaris@3.0.35","@ephox/polaris@3.0.50","@ephox/polaris@3.0.52","@ephox/polaris@4.0.1","@ephox/porkbun@4.0.10","@ephox/porkbun@4.0.11","@ephox/porkbun@4.0.12","@ephox/porkbun@4.0.13","@ephox/porkbun@4.0.14","@ephox/porkbun@4.0.15","@ephox/porkbun@4.0.16","@ephox/porkbun@4.0.17","@ephox/porkbun@4.0.18","@ephox/porkbun@4.0.19","@ephox/porkbun@4.0.20","@ephox/porkbun@4.0.21","@ephox/porkbun@4.0.22","@ephox/porkbun@4.0.35","@ephox/porkbun@4.0.37","@ephox/porkbun@4.0.7","@ephox/porkbun@4.0.8","@ephox/porkbun@5.0.1","@ephox/robin@7.0.13","@ephox/robin@7.0.14","@ephox/robin@7.0.16","@ephox/robin@7.0.17","@ephox/robin@7.0.18","@ephox/robin@7.0.19","@ephox/robin@7.0.20","@ephox/robin@7.0.21","@ephox/robin@7.0.22","@ephox/robin@7.0.23","@ephox/robin@7.0.24","@ephox/robin@7.0.25","@ephox/robin@7.0.26","@ephox/robin@7.0.27","@ephox/robin@7.0.28","@ephox/robin@7.0.29","@ephox/robin@7.0.30","@ephox/robin@7.0.31","@ephox/robin@7.0.32","@ephox/robin@7.0.33","@ephox/robin@7.0.53","@ephox/robin@7.0.55","@ephox/robin@8.0.1","@ephox/robin@8.0.2","@ephox/sand@2.0.13","@ephox/sand@2.0.14","@ephox/sand@2.0.16","@ephox/sand@2.0.17","@ephox/sand@2.0.18","@ephox/sand@2.0.19","@ephox/sand@2.0.20","@ephox/sand@2.0.21","@ephox/sand@3.0.0","@ephox/sand@3.0.1","@ephox/sand@3.0.2","@ephox/sand@3.0.3","@ephox/sand@3.0.4","@ephox/sand@3.0.5","@ephox/sand@3.0.6","@ephox/sand@3.1.10","@ephox/sand@3.1.8","@ephox/sand@4.0.1","@ephox/snooker@4.0.32","@ephox/snooker@4.0.33","@ephox/snooker@4.0.35","@ephox/snooker@4.0.36","@ephox/snooker@4.0.37","@ephox/snooker@4.0.38","@ephox/snooker@4.0.39","@ephox/snooker@4.0.40","@ephox/snooker@4.0.41","@ephox/snooker@4.0.42","@ephox/snooker@4.0.43","@ephox/snooker@5.0.0","@ephox/snooker@5.0.1","@ephox/snooker@5.0.10","@ephox/snooker@5.0.2","@ephox/snooker@5.0.3","@ephox/snooker@5.0.4","@ephox/snooker@5.0.5","@ephox/snooker@5.0.6","@ephox/snooker@5.0.7","@ephox/snooker@5.0.8","@ephox/snooker@5.0.9","@ephox/snooker@5.1.14","@ephox/snooker@6.0.1","@ephox/snooker@7.0.1","@ephox/snooker@7.0.2","@ephox/sugar@4.6.17","@ephox/sugar@4.6.18","@ephox/sugar@4.6.20","@ephox/sugar@4.6.21","@ephox/sugar@4.6.22","@ephox/sugar@4.6.23","@ephox/sugar@4.6.24","@ephox/sugar@4.6.25","@ephox/sugar@4.6.26","@ephox/sugar@4.6.27","@ephox/sugar@4.6.28","@ephox/sugar@5.0.0","@ephox/sugar@5.0.1","@ephox/sugar@5.0.2","@ephox/sugar@5.0.3","@ephox/sugar@5.0.4","@ephox/sugar@5.0.5","@ephox/sugar@5.0.6","@ephox/sugar@5.0.7","@ephox/sugar@6.0.1","@ephox/sugar@6.1.1","@ephox/sugar@7.0.1","@tinymce/oxide-icons-default@1.0.41","@tinymce/oxide-icons-default@1.0.42","@tinymce/oxide-icons-default@1.3.3","@tinymce/oxide-icons-default@1.4.1","@tinymce/oxide-icons-default@1.5.1","@tinymce/oxide@1.0.215","@tinymce/oxide@1.0.216","@tinymce/oxide@1.0.217","@tinymce/oxide@1.0.218","@tinymce/oxide@1.0.219","@tinymce/oxide@1.0.220","@tinymce/oxide@1.0.221","@tinymce/oxide@1.0.222","@tinymce/oxide@1.0.223","@tinymce/oxide@1.0.224","@tinymce/oxide@1.0.225","@tinymce/oxide@1.0.226","@tinymce/oxide@1.0.227","@tinymce/oxide@1.0.228","@tinymce/oxide@1.0.229","@tinymce/oxide@1.0.230","@tinymce/oxide@1.0.231","@tinymce/oxide@1.0.232","@tinymce/oxide@1.0.233","@tinymce/oxide@1.0.234","@tinymce/oxide@1.0.235","@tinymce/oxide@1.0.236","@tinymce/oxide@1.3.1","@tinymce/oxide@1.4.1","@tinymce/oxide@1.5.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-21911.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}