CVE-2026-47759
Impact
Stored XSS vulnerability via unsanitized data-mce-* attributes (data-mce-href, data-mce-src, data-mce-style). Allows attackers to inject malicious values that override safe attributes during serialization, bypassing validation.
Patches
Patched by stripping unsafe data-mce-* attributes during parsing. Users should upgrade to the latest patched versions (5 LTS, 7.x, 8.x).
Workarounds
No official workaround available.
Fix
To avoid this vulnerability:
Upgrade to TinyMCE 8.5.1 or higher.
Upgrade to TinyMCE 7.9.3 or higher.
Upgrade to TinyMCE 5.11.1 LTS or higher for TinyMCE 5.x (only available as part of commercial long-term support contract).
Acknowledgements
Tiny thanks Tadi Kadango (website) and Ivan Babenko for their help identifying this vulnerability.
⚡ Watch CVE-2026-47759
Get an email if CVE-2026-47759 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Exploitation outlook
- Low exploitation risk0.28% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 20% of all EPSS-scored CVEs.
Advisory coverage (1)
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-47759)