{"id":"CVE-2026-47759","summary":"TinyMCE Cross-Site Scripting (XSS) vulnerability using through data-mce- prefixed src, href, style attributes","details":"TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via unsanitized data-mce-* attributes (data-mce-href, data-mce-src, data-mce-style). Allows attackers to inject malicious values that override safe attributes during serialization, bypassing validation. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1.","aliases":["GHSA-q742-qvgc-gc2f"],"modified":"2026-07-15T01:48:51.074837587Z","published":"2026-05-28T15:20:11.242Z","database_specific":{"unresolved_ranges":[{"extracted_events":[{"fixed":"5.11.1"}],"source":"AFFECTED_FIELD"}],"cna_assigner":"GitHub_M","cwe_ids":["CWE-79"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/47xxx/CVE-2026-47759.json"},"references":[{"type":"WEB","url":"https://www.tiny.cloud/docs/tinymce/7/7.9.3-release-notes/#overview"},{"type":"WEB","url":"https://www.tiny.cloud/docs/tinymce/8/8.5.1-release-notes/#overview"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/47xxx/CVE-2026-47759.json"},{"type":"ADVISORY","url":"https://github.com/tinymce/tinymce/security/advisories/GHSA-q742-qvgc-gc2f"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-47759"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/tinymce/tinymce","events":[{"introduced":"4cc623897917472ba418f1378170727d7a94575b"},{"fixed":"9dac5bb3c875b9c5de43a3f6ea33f55437e77325"},{"introduced":"9f7ab4d2acef062e7f2cd85e7498e3016446ff65"},{"fixed":"03573dd3ca7ac79f79b8f6e66f3b4256d3e1de36"}],"database_specific":{"cpe":"cpe:2.3:a:tiny:tinymce:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"6.0.0"},{"fixed":"7.9.3"},{"introduced":"8.0.0"},{"fixed":"8.5.1"}],"source":"CPE_RANGE"}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-47759.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"}]}