Cross-site scripting in tinymce - #VU131916
Published: August 10, 2020 / Updated: May 20, 2026
tinymce
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary JavaScript.
The vulnerability exists due to cross-site scripting in the core parser when processing specially crafted content inserted into the editor via the clipboard or APIs. A remote attacker can insert specially crafted content to execute arbitrary JavaScript.