CVE-2026-47761— TinyMCE Cross-Site Scripting (XSS) vulnerability using media plugin `data-mce-object` injection
Possible ATT&CK Techniques 3AI
T1090 · Proxy T1059 · Command and Scripting Interpreter T1189 · Drive-by CompromiseGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-47761
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
TinyMCE Cross-Site Scripting (XSS) vulnerability using media plugin `data-mce-object` injection
Source: NVD (National Vulnerability Database)
Vulnerability Description
TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability in the media plugin. Attackers can inject malicious scripts via crafted data-mce-* attributes, which are executed when content is rendered. Impacts users of TinyMCE with the media plugin enabled. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
TinyMCE 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
TinyMCE是美国Tiny Technologies开源的一款富文本编辑器。 TinyMCE 5.11.1之前版本、7.9.3之前版本和8.5.1之前版本存在跨站脚本漏洞,该漏洞源于媒体插件中的存储型XSS漏洞,攻击者可以通过特制的data-mce-*属性注入恶意脚本,在内容渲染时执行。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-47761
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-47761
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-47761 (1)
Vendor Pages for CVE-2026-47761 (2)
- 🔗 TinyMCE 8.5.1 | TinyMCE Documentationx_refsource_MISC
Same Patch Batch · tinymce · 2026-05-28 · 4 CVEs total
| CVE-2026-47760 | 8.7 HIGH | TinyMCE Cross-Site Scripting (XSS) vulnerability using sanitization bypass through nested |
| CVE-2026-47762 | 8.7 HIGH | TinyMCE Cross-Site Scripting (XSS) vulnerability through `mce:protected` comments |
| CVE-2026-47759 | 8.7 HIGH | TinyMCE Cross-Site Scripting (XSS) vulnerability using through data-mce- prefixed src, hre |
IV. Related Vulnerabilities
Same product: tinymce
- CVE-2026-47762
TinyMCE Cross-Site Scripting (XSS) vulnerability through `mc - CVE-2026-47759
TinyMCE Cross-Site Scripting (XSS) vulnerability using throu - CVE-2026-47760
TinyMCE Cross-Site Scripting (XSS) vulnerability using sanit - CVE-2024-38357
TinyMCE Cross-Site Scripting (XSS) vulnerability using noscr - CVE-2024-38356
TinyMCE Cross-Site Scripting (XSS) vulnerability using noned
Same vendor: tinymce
- CVE-2026-47762
TinyMCE Cross-Site Scripting (XSS) vulnerability through `mc - CVE-2026-47759
TinyMCE Cross-Site Scripting (XSS) vulnerability using throu - CVE-2026-47760
TinyMCE Cross-Site Scripting (XSS) vulnerability using sanit - CVE-2024-38357
TinyMCE Cross-Site Scripting (XSS) vulnerability using noscr - CVE-2024-38356
TinyMCE Cross-Site Scripting (XSS) vulnerability using noned
V. Comments for CVE-2026-47761
No comments yet