How is CVE-2026-47759 exploited?

Network reachability (required): The attacker must reach the application over the network to submit content containing malicious data-mce-* attribute values. Authentication (required): A low-privilege account is sufficient; the attacker only needs enough access to submit rich-text content through the editor. Victim interaction (required): A victim must view or load a page rendering the attacker-injected content for the stored XSS payload to execute in their browser. Attack complexity (info): Exploit complexity is low; no race conditions or special environmental factors are required, and the injection reliably bypasses TinyMCE's attribute sanitization during serialization.

What is the impact of CVE-2026-47759?

Reads session tokens and authentication cookies from the victim's browser, enabling account takeover. Reads sensitive page content visible to the victim, including any personal or application data rendered in the same origin. Modifies page content or injects UI elements in the victim's browser session, enabling phishing or credential harvesting within the application.

Back to search

HIGHCVE-2026-47759Published 2026-05-28Modified 2026-05-30CNA GitHub_M

CVE-2026-47759: TinyMCE Cross-Site Scripting (XSS) vulnerability using through data-mce- prefixed src, href, style attributes

TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via unsanitized data-mce-* attributes (data-mce-href, data-mce-src, data-mce-style). Allows attackers to inject malicious values that override safe attributes during serialization, bypassing validation. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A stored cross-site scripting (XSS) vulnerability affects the TinyMCE rich text editor across versions prior to 5.11.1, 7.9.3, and 8.5.1. The flaw is reachable over the network by an attacker with a low-privilege account, but requires a victim to view or interact with content containing the injected payload. Successful exploitation lets an attacker read session tokens and sensitive page data, or modify page content in the context of another user's browser session. Patched-image rebuilds at versions 5.11.1, 7.9.3, and 8.5.1 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in registries and active pipelines, including custom-built images that bundle TinyMCE as a dependency.

Available

Triage

HarborGuard scores this CVE at CVSS 8.7 (HIGH) and is capable of weighting that score against each environment's compliance policy to surface it at the appropriate severity tier; routing to the correct team inbox within a customer org is supported based on image ownership and policy configuration.

Available

Patch

Because upstream fix versions (5.11.1, 7.9.3, and 8.5.1) are published, a patched-image rebuild at the applicable fix version is available for any HarborGuard environment running an affected TinyMCE version. For customers who opt into auto-remediation, HarborGuard will rebuild the image, run a regression test suite, and open a PR against affected workloads automatically.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the application over the network to submit content containing malicious data-mce-* attribute values.
AuthenticationRequired
A low-privilege account is sufficient; the attacker only needs enough access to submit rich-text content through the editor.
Victim interactionRequired
A victim must view or load a page rendering the attacker-injected content for the stored XSS payload to execute in their browser.
Attack complexityDetail
Exploit complexity is low; no race conditions or special environmental factors are required, and the injection reliably bypasses TinyMCE's attribute sanitization during serialization.

Blast Radius

Reads session tokens and authentication cookies from the victim's browser, enabling account takeover.
Reads sensitive page content visible to the victim, including any personal or application data rendered in the same origin.
Modifies page content or injects UI elements in the victim's browser session, enabling phishing or credential harvesting within the application.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-47759 is active across all scanned environments, matching images that bundle any affected TinyMCE version range (below 5.11.1, 6.0.0 through 6.8.6, 7.0.0 through below 7.9.3, and 8.0.0 through below 8.5.1). For customers who opt into auto-remediation, HarborGuard can rebuild the image at the appropriate patched version (5.11.1, 7.9.3, or 8.5.1 depending on the branch in use), run a regression test suite against the rebuilt image, and open a pull request against affected workloads. Median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, the CVE surfaces in the findings queue with CVSS 8.7 HIGH severity and fix-version guidance so teams can action it manually. In the interim, compensating controls worth considering include restricting which user roles can submit rich-text content through TinyMCE and applying a strict Content-Security-Policy header to block inline script execution on pages that render editor output.

See how HarborGuard automates this

CVSS v3.1: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

tinymce / tinymce
< 5.11.1 · >= 6.0.0, <= 6.8.6 · >= 7.0.0, < 7.9.3 · >= 8.0.0, < 8.5.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

References