CVE-2026-47760

Severity CVSS v4.0:
Pending analysis
Type:
CWE-79 Cross-Site Scripting (XSS)
Publication date:
28/05/2026
Last modified:
28/05/2026

Description

TinyMCE is an open source rich text editor. From 6.8.0 to before 7.1.0, TinyMCE contains an XSS vulnerability caused by improper SVG namespace scope handling in the sanitizer. A crafted payload using nested elements can bypass attribute sanitization and execute arbitrary JavaScript. This vulnerability is fixed in 7.1.0.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:tiny:tinymce:*:*:*:*:*:*:*:* 6.8.0 (including) 7.1.0 (excluding)