TinyMCE patches stored XSS flaws in editor sanitizer and media plugin
TinyMCE has patched multiple cross-site scripting vulnerabilities in its widely deployed rich text editor, including stored and sanitization-related flaws tracked as CVE-2026-47759, CVE-2026-47760, CVE-2026-47761, and CVE-2026-47762. The issues could let remote attackers inject malicious JavaScript into web content and compromise active user sessions when affected content is viewed. Reported weaknesses include improper namespace scope handling in the core sanitizer, bypasses involving prefixed attributes and comment handling, and a flaw in the media plugin.
The media plugin issue, CVE-2026-47761, stems from TinyMCE serializing rich-media elements into placeholder images while preserving raw properties in data-mce-* HTML attributes. Because many downstream filters permit arbitrary data-* attributes, malicious payloads can survive sanitization, be stored persistently, and later be deserialized into active DOM elements without sufficient validation, triggering script execution in users' browsers. TinyMCE said fixes are available in supported branches and advised customers to upgrade to version 7.9.3 or later or 8.5.1, while version 5 commercial users may require long-term support updates.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
TinyMCE releases fixes across supported branches
TinyMCE released fixes for the disclosed XSS issues across supported branches. Users were advised to upgrade to version 7.9.3 or later, or version 8.5.1, while version 5 commercial customers may require long-term support fixes.
Researchers disclose multiple TinyMCE XSS vulnerabilities
Researchers disclosed multiple TinyMCE cross-site scripting vulnerabilities, including CVE-2026-47759, CVE-2026-47760, CVE-2026-47761, and CVE-2026-47762. The flaws affect the media plugin and core sanitization logic, with bypasses involving namespace scope handling, prefixed attributes, and comment handling.
TinyMCE stored XSS flaw in media plugin is disclosed as CVE-2026-47761
A stored cross-site scripting vulnerability in TinyMCE's media plugin was disclosed under CVE-2026-47761. The issue stems from unsafe handling of serialized rich-media properties in data-mce-* attributes, which can survive sanitization and later execute attacker-controlled code when content is rendered.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Stored XSS in sanitize-html Defaults via Disallowed `xmp` Tag Bypass
A vulnerability tracked as **CVE-2026-44990** allows stored cross-site scripting in `sanitize-html` when applications use the library’s default configuration and later render sanitized user content as trusted HTML. The flaw affects versions prior to **2.17.4** and stems from the handling of the disallowed `xmp` element: because `htmlparser2` treats `xmp` as a raw-text tag, attacker-supplied markup inside it is preserved as text during sanitization but can be emitted back as active HTML or JavaScript under the default `disallowedTagsMode: 'discard'` behavior. GitHub’s advisory and the upstream patch say the bypass can let payloads such as `<script>`, `img` event handlers, and `svg`-embedded script content survive filtering and execute in a victim’s browser. The fix in **2.17.4** adds `xmp` to `nonTextTags` so content inside a disallowed `xmp` tag is dropped instead of re-emitted, and regression tests were added to confirm the malicious content is removed. The issue was reported by **Vincenzo Turturro** (`sushi-gif`), and users of affected `sanitize-html` deployments, including those in **ApostropheCMS**, were urged to update immediately.
Jun 13, 2026
Multiple MediaWiki and Extension Vulnerabilities Expose Sites to XSS Risks
dCERT issued an advisory for **multiple vulnerabilities in MediaWiki**, followed by a second advisory covering **multiple vulnerabilities in MediaWiki extensions that allow cross-site scripting (XSS)**. The notices indicate that organizations running MediaWiki-based platforms may be exposed through flaws in both the core software and its extension ecosystem. The combined advisories point to a broader security issue for MediaWiki deployments, where weaknesses in core components and add-on extensions can increase the risk of malicious script injection and related compromise of user sessions or administrative actions. Organizations using MediaWiki should review affected versions, assess installed extensions, and apply vendor fixes or mitigations as they become available.
Apr 10, 2026
Multiple Bludit CMS Flaws Enable RCE, XSS, and Session Hijacking
CERT Polska disclosed four vulnerabilities in the Bludit content management system, including an unrestricted file upload flaw tracked as **CVE-2026-25099** that can lead to remote code execution, a stored XSS issue in image upload handling (**CVE-2026-25100**), a session fixation weakness that can enable session hijacking (**CVE-2026-25101**), and a separate stored XSS flaw in page creation tracked as **CVE-2026-4420**. The vulnerabilities were reported by researchers Arkadiusz Marta and Yassin Abdelrazek and affect multiple Bludit versions, with **CVE-2026-25099** impacting all releases before `3.18.4`, **CVE-2026-25101** affecting versions before `3.17.2`, **CVE-2026-25100** affecting all versions through `3.18.2`, and **CVE-2026-4420** confirmed in `3.17.2` and `3.18.0`. The XSS flaws can be exploited by authenticated users with content or page creation privileges by injecting malicious JavaScript into uploaded SVG content or article tags, with payloads executing when victims access publicly reachable resources without authentication. CERT Polska said the page-creation XSS could be used to automatically create a new site administrator if the victim has sufficient privileges, while the file upload issue could allow direct server-side compromise through remote code execution. The agency also said vendor coordination was incomplete, noting the vendor stopped responding or did not provide details on remediation and affected version ranges, raising uncertainty over whether some future releases may remain vulnerable.
Apr 7, 2026