How is CVE-2026-47760 exploited?

Network reachability (required): The attacker must be able to reach the application hosting the TinyMCE editor over the network to deliver and store the crafted SVG payload. Authentication (required): The attacker must hold at least a low-privilege account with permission to submit content through the TinyMCE editor. Victim interaction (required): A victim user must open or view the page containing the attacker-crafted content for the injected JavaScript to execute in their browser session. Attack complexity (info): Exploitation is reliable and condition-free once the attacker has editor access; no race conditions or special memory layout requirements are needed.

What is the impact of CVE-2026-47760?

An attacker reads the victim's session tokens, cookies, and any credentials or sensitive data accessible in the browser context. The attacker performs arbitrary actions inside the web application on behalf of the victim, including modifying stored content or account settings. If the affected editor is embedded in an admin interface, the attacker gains the same elevated application privileges held by the victim at the time of exploitation.

Back to search

HIGHCVE-2026-47760Published 2026-05-28Modified 2026-05-28CNA GitHub_M

CVE-2026-47760: TinyMCE Cross-Site Scripting (XSS) vulnerability using sanitization bypass through nested SVGs

TinyMCE is an open source rich text editor. From 6.8.0 to before 7.1.0, TinyMCE contains an XSS vulnerability caused by improper SVG namespace scope handling in the sanitizer. A crafted payload using nested elements can bypass attribute sanitization and execute arbitrary JavaScript. This vulnerability is fixed in 7.1.0.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A stored cross-site scripting (XSS) vulnerability exists in TinyMCE versions 6.0.0 through 7.0.x, caused by improper SVG namespace scope handling in the editor's HTML sanitizer. An authenticated attacker can craft a nested SVG payload that bypasses attribute sanitization and injects arbitrary JavaScript into content rendered by the editor. Successful exploitation gives the attacker control over victim sessions and allows arbitrary actions in the context of the affected web application. A patched-image rebuild at version 7.1.0 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-47760 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including custom-built images that bundle TinyMCE. Coverage extends to both direct and transitive package inclusions in scanned container layers.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 8.7 (HIGH) and weighting it against each environment's compliance policy to surface priority relative to other open findings. Routing to the appropriate team inbox within each customer organization is available based on policy-defined ownership rules.

Available

Patch

Because no fix version has been published in the upstream advisory record, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is confirmed. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically once a fix version is available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the application hosting the TinyMCE editor over the network to deliver and store the crafted SVG payload.
AuthenticationRequired
The attacker must hold at least a low-privilege account with permission to submit content through the TinyMCE editor.
Victim interactionRequired
A victim user must open or view the page containing the attacker-crafted content for the injected JavaScript to execute in their browser session.
Attack complexityDetail
Exploitation is reliable and condition-free once the attacker has editor access; no race conditions or special memory layout requirements are needed.

Blast Radius

An attacker reads the victim's session tokens, cookies, and any credentials or sensitive data accessible in the browser context.
The attacker performs arbitrary actions inside the web application on behalf of the victim, including modifying stored content or account settings.
If the affected editor is embedded in an admin interface, the attacker gains the same elevated application privileges held by the victim at the time of exploitation.

How HarborGuard Handles This

Available on HarborGuard: detection of this CVE is matched against all scanned images containing TinyMCE 6.0.0 through 7.0.x. Because no upstream fix version has been confirmed in the advisory record at this time, HarborGuard monitors the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is published upstream. For customers with auto-remediation enabled, that rebuild will trigger a regression test run and open a PR against affected workloads without manual intervention. In the interim, compensating controls worth considering include network-policy rules that restrict which roles can submit rich-text content, content-security-policy headers that block inline script execution, and feature-flag gating to disable the TinyMCE editor for untrusted user roles until a patched image is available.

See how HarborGuard automates this

CVSS v3.1: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

tinymce / tinymce
>= 6.0.0, < 7.1.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

References

https://github.com/tinymce/tinymce/security/advisories/GHSA-mh5m-5hw4-5c69