HarborGuard / CVE
Back to search
HIGHCVE-2026-47762Published Modified CNA GitHub_M

CVE-2026-47762: TinyMCE Cross-Site Scripting (XSS) vulnerability through `mce:protected` comments

TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via forged mce:protected comments. Allows attackers to bypass sanitization and inject scripts that execute when content is restored. Impacts users who utilize the protect option. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Stored cross-site scripting (XSS) vulnerability in TinyMCE allows an authenticated attacker to inject malicious script content via forged mce:protected comments, which bypass the editor's sanitization logic. The attack is delivered over the network, requires a low-privilege account to store the payload, and needs a victim to open or restore the affected content in their browser. Successful exploitation gives the attacker full script execution in the victim's browser session, enabling credential theft, session hijacking, or unauthorized actions on behalf of the victim. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment upstream fix versions are confirmed published.

HarborGuard Coverage

Detection

Detection of CVE-2026-47762 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including GitHub Advisory and NVD) within minutes of publication and matched against all customer images, including custom-built images that bundle TinyMCE. Any image layer containing an affected version of the tinymce package is flagged automatically.

Available
Triage

Triage is available using the CVSS v3.1 score of 8.7 (HIGH), with per-environment compliance policy weighting applied so teams operating stricter policies surface this finding at higher priority. Routing rules within each customer org direct the alert to the team or inbox responsible for front-end or CMS-related workloads.

Available
Patch

Because no upstream fix version has been confirmed published at this time, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment versions 5.11.1, 7.9.3, or 8.5.1 (as applicable to each image's pinned version) are released. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be triggered automatically without requiring manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the TinyMCE-backed application over the network to submit the forged mce:protected comment payload.

  • AuthenticationRequired

    A low-privilege account is sufficient; the attacker only needs permission to submit or save content through the editor.

  • Victim interactionRequired

    A victim must open or restore the content containing the injected payload in their browser for the script to execute.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special environmental conditions, race conditions, or memory-layout knowledge.

Blast Radius

  • Reads active session tokens and authentication cookies from the victim's browser, enabling account takeover.
  • Executes arbitrary JavaScript in the victim's browser session, allowing the attacker to perform actions on the victim's behalf within the application.
  • Exfiltrates sensitive data visible in the DOM, such as form inputs, personal information, or application state, to an attacker-controlled endpoint.
  • Propagates the stored payload to additional victims who load the same content, widening the scope of compromise beyond the initial target.

How HarborGuard Handles This

Available on HarborGuard: automatic scanning flags any image containing a vulnerable TinyMCE version (tinymce < 5.11.1, >= 6.0.0 through <= 6.8.6, >= 7.0.0 and < 7.9.3, or >= 8.0.0 and < 8.5.1) as HIGH severity. Because no upstream fix has been published at this time, HarborGuard re-checks the advisory on every ingest cycle. As interim compensating controls, consider isolating the application behind network policy to restrict which principals can submit rich-text content, applying strict Content Security Policy headers to limit script execution scope, and disabling or gating the TinyMCE protect option via feature flag if your deployment does not depend on it. Where compliance policy permits, the moment upstream confirms a fix release, a patched-image rebuild will become available and customers with auto-remediation enabled will receive a rebuild, a regression-test run, and a PR opened against affected workloads automatically.

See how HarborGuard automates this

Metrics

CVSS v3.1
8.7
Severity
HIGH
Fixed in
Affected Products
1
Affected packages
  • tinymce / tinymce
    < 5.11.1 · >= 6.0.0, <= 6.8.6 · >= 7.0.0, < 7.9.3 · >= 8.0.0, < 8.5.1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
References