CVE-2026-47759— TinyMCE Cross-Site Scripting (XSS) vulnerability using through data-mce- prefixed src, href, style attributes
Possible ATT&CK Techniques 3AI
T1059 · Command and Scripting Interpreter T1136 · Create Account T1189 · Drive-by CompromiseGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-47759
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
TinyMCE Cross-Site Scripting (XSS) vulnerability using through data-mce- prefixed src, href, style attributes
Source: NVD (National Vulnerability Database)
Vulnerability Description
TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via unsanitized data-mce-* attributes (data-mce-href, data-mce-src, data-mce-style). Allows attackers to inject malicious values that override safe attributes during serialization, bypassing validation. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Tiny Technologies TinyMCE 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Tiny Technologies TinyMCE是美国Tiny Technologies公司的一款富文本编辑器。 TinyMCE 5.11.1之前版本、7.9.3之前版本和8.5.1之前版本存在跨站脚本漏洞,该漏洞源于未清理的data-mce-*属性可能导致存储型XSS攻击,攻击者可以注入恶意值覆盖安全属性,绕过验证。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-47759
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-47759
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-47759 (1)
Vendor Pages for CVE-2026-47759 (2)
- 🔗 TinyMCE 8.5.1 | TinyMCE Documentationx_refsource_MISC
Same Patch Batch · tinymce · 2026-05-28 · 4 CVEs total
| CVE-2026-47760 | 8.7 HIGH | TinyMCE Cross-Site Scripting (XSS) vulnerability using sanitization bypass through nested |
| CVE-2026-47761 | 8.7 HIGH | TinyMCE Cross-Site Scripting (XSS) vulnerability using media plugin `data-mce-object` inje |
| CVE-2026-47762 | 8.7 HIGH | TinyMCE Cross-Site Scripting (XSS) vulnerability through `mce:protected` comments |
IV. Related Vulnerabilities
Same product: tinymce
- CVE-2026-47762
TinyMCE Cross-Site Scripting (XSS) vulnerability through `mc - CVE-2026-47761
TinyMCE Cross-Site Scripting (XSS) vulnerability using media - CVE-2026-47760
TinyMCE Cross-Site Scripting (XSS) vulnerability using sanit - CVE-2024-38357
TinyMCE Cross-Site Scripting (XSS) vulnerability using noscr - CVE-2024-38356
TinyMCE Cross-Site Scripting (XSS) vulnerability using noned
Same vendor: tinymce
- CVE-2026-47762
TinyMCE Cross-Site Scripting (XSS) vulnerability through `mc - CVE-2026-47761
TinyMCE Cross-Site Scripting (XSS) vulnerability using media - CVE-2026-47760
TinyMCE Cross-Site Scripting (XSS) vulnerability using sanit - CVE-2024-38357
TinyMCE Cross-Site Scripting (XSS) vulnerability using noscr - CVE-2024-38356
TinyMCE Cross-Site Scripting (XSS) vulnerability using noned
V. Comments for CVE-2026-47759
No comments yet