SB2026052050 - Multiple vulnerabilities in TinyMCE

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026052050

SB2026052050 - Multiple vulnerabilities in TinyMCE

Published: May 20, 2026

Security Bulletin ID SB2026052050
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 vulnerabilities.


1) Cross-site scripting (CVE-ID: N/A)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary script code in a victim's browser.

The vulnerability exists due to cross-site scripting in data-mce-* attribute handling when parsing and serializing content containing data-mce-href, data-mce-src, or data-mce-style attributes. A remote user can inject malicious attribute values to execute arbitrary script code in a victim's browser.

User interaction is required to process crafted content.


2) Cross-site scripting (CVE-ID: N/A)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary script in a victim's browser.

The vulnerability exists due to cross-site scripting in mce:protected comment handling when restoring protected content. A remote user can forge mce:protected comments to bypass sanitization and inject script that executes when content is restored to execute arbitrary script in a victim's browser.

Only users who utilize the protect option are affected, and user interaction is required.


3) Cross-site scripting (CVE-ID: N/A)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary script in the victim's browser.

The vulnerability exists due to improper neutralization of input during web page generation in the media plugin when rendering content containing crafted data-mce-* attributes. A remote user can inject crafted data-mce-object and related data-mce-p-* attributes to execute arbitrary script in the victim's browser.

User interaction is required when the malicious content is rendered, and only instances with the media plugin enabled are vulnerable.


Remediation

Install update from vendor's website.

References