How is CVE-2026-47761 exploited?

Network reachability (required): The attacker must reach the TinyMCE-powered application over the network to submit the crafted media content (CVSS AV:N). Authentication (required): A low-privilege account is sufficient; the attacker must be authenticated to submit content through the editor (CVSS PR:L). Victim interaction (required): A victim must open or render the page containing the injected content for the malicious script to execute (CVSS UI:R). Attack complexity (info): Exploit conditions are straightforward and reliable with no race conditions or special environmental factors required (CVSS AC:L).

What is the impact of CVE-2026-47761?

Reads session tokens, cookies, and other credentials accessible to the victim's browser context. Reads sensitive page content and data visible to the logged-in victim, including any customer records or private information rendered on the page. Performs authenticated actions in the application on the victim's behalf, such as modifying stored content, changing account settings, or submitting forms.

Back to search

HIGHCVE-2026-47761Published 2026-05-28Modified 2026-05-28CNA GitHub_M

CVE-2026-47761: TinyMCE Cross-Site Scripting (XSS) vulnerability using media plugin `data-mce-object` injection

TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability in the media plugin. Attackers can inject malicious scripts via crafted data-mce-* attributes, which are executed when content is rendered. Impacts users of TinyMCE with the media plugin enabled. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Stored cross-site scripting (XSS) vulnerability in TinyMCE's media plugin allows an authenticated attacker to inject malicious scripts via crafted data-mce-* attributes in media embed content. The attack is reachable over the network and requires a low-privilege account; a victim must load or view the affected content for the injected script to execute. Successful exploitation gives the attacker full read and write access to the victim's session context, including the ability to exfiltrate data or perform actions on their behalf. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment upstream fix versions are published.

HarborGuard Coverage

Detection

Detection of CVE-2026-47761 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle TinyMCE. Any image containing an affected TinyMCE version (below 5.11.1, between 6.0.0 and 6.8.6 inclusive, or below 7.9.3 or 8.5.1 in the respective major lines) is flagged automatically.

Available

Triage

Triage is available with a CVSS v3.1 score of 8.7 (HIGH), and each HarborGuard environment can weight that score further against its own compliance policy to reflect business context. Routed findings are surfaced to the appropriate team inbox inside each customer org based on image ownership and policy configuration.

Available

Patch

Because no upstream fix versions have been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available at the fix version the moment upstream ships. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered automatically once a fix becomes available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the TinyMCE-powered application over the network to submit the crafted media content (CVSS AV:N).
AuthenticationRequired
A low-privilege account is sufficient; the attacker must be authenticated to submit content through the editor (CVSS PR:L).
Victim interactionRequired
A victim must open or render the page containing the injected content for the malicious script to execute (CVSS UI:R).
Attack complexityDetail
Exploit conditions are straightforward and reliable with no race conditions or special environmental factors required (CVSS AC:L).

Blast Radius

Reads session tokens, cookies, and other credentials accessible to the victim's browser context.
Reads sensitive page content and data visible to the logged-in victim, including any customer records or private information rendered on the page.
Performs authenticated actions in the application on the victim's behalf, such as modifying stored content, changing account settings, or submitting forms.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published for CVE-2026-47761 at this time, HarborGuard continuously monitors the advisory and re-evaluates affected images on every ingest cycle. In the interim, compensating controls worth considering include network-policy isolation to restrict which users or roles can submit media content to TinyMCE-backed endpoints, feature-flag gating to disable the media plugin in environments where it is not essential, and egress filtering to limit the destinations reachable by injected scripts. The moment upstream publishes a fix in the 5.x, 7.x, or 8.x lines, a patched-image rebuild will become available on HarborGuard. For customers with auto-remediation enabled, that rebuild will be followed immediately by a regression-test run and a PR opened against affected workloads.

See how HarborGuard automates this

CVSS v3.1: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

tinymce / tinymce
< 5.11.1 · >= 6.0.0, <= 6.8.6 · >= 7.0.0, < 7.9.3 · >= 8.0.0, < 8.5.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

References