Main Vulnerability Database Vulnerabilities #VU131920

Cross-site scripting in TinyMCE - #VU131920

Published: May 20, 2026 / Updated: May 20, 2026

Vulnerability identifier: #VU131920

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: tinymce

Affected software:
TinyMCE

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary script in the victim's browser.

The vulnerability exists due to improper neutralization of input during web page generation in the media plugin when rendering content containing crafted data-mce-* attributes. A remote user can inject crafted data-mce-object and related data-mce-p-* attributes to execute arbitrary script in the victim's browser.

User interaction is required when the malicious content is rendered, and only instances with the media plugin enabled are vulnerable.

Remediation

Install security update from vendor's website.

Sources

https://github.com/tinymce/tinymce/security/advisories/GHSA-vg35-5wq7-3x7w

Cross-site scripting in TinyMCE - #VU131920

Detailed vulnerability description

Remediation

Sources

Please verify you're human