Cross-site scripting in tinymce - #VU131914
Published: May 27, 2021 / Updated: May 20, 2026
tinymce
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary JavaScript.
The vulnerability exists due to improper neutralization of input during web page generation in the core parser for form elements when processing specially crafted content inserted through the clipboard or APIs and later rendering or previewing the content outside of the editor. A remote attacker can insert specially crafted content to execute arbitrary JavaScript.
The issue can only be triggered when the content is previewed or rendered outside of the editor, because forms cannot be submitted while editing.