Skip to content

Update dependency tinymce/tinymce to v7.9.3 [SECURITY]#37

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/packagist-tinymce-tinymce-vulnerability
Open

Update dependency tinymce/tinymce to v7.9.3 [SECURITY]#37
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/packagist-tinymce-tinymce-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jun 6, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
tinymce/tinymce (source) 7.9.27.9.3 age confidence

TinyMCE Cross-Site Scripting (XSS) vulnerability using through data-mce- prefixed src, href, style attributes

CVE-2026-47759 / GHSA-q742-qvgc-gc2f

More information

Details

Impact

Stored XSS vulnerability via unsanitized data-mce-* attributes (data-mce-href, data-mce-src, data-mce-style). Allows attackers to inject malicious values that override safe attributes during serialization, bypassing validation.

Patches

Patched by stripping unsafe data-mce-* attributes during parsing. Users should upgrade to the latest patched versions (5 LTS, 7.x, 8.x).

Workarounds

No official workaround available.

Fix

To avoid this vulnerability:

Upgrade to TinyMCE 8.5.1 or higher.
Upgrade to TinyMCE 7.9.3 or higher.
Upgrade to TinyMCE 5.11.1 LTS or higher for TinyMCE 5.x (only available as part of commercial long-term support contract).

Acknowledgements

Tiny thanks Tadi Kadango (website) and Ivan Babenko for their help identifying this vulnerability.

Severity

  • CVSS Score: 8.7 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


TinyMCE Cross-Site Scripting (XSS) vulnerability through mce:protected comments

CVE-2026-47762 / GHSA-v98h-vmpc-fpqv

More information

Details

Impact

Stored XSS vulnerability via forged mce:protected comments. Allows attackers to bypass sanitization and inject scripts that execute when content is restored. Impacts users who utilize the protect option.

Patches

Patched by validating decoded mce:protected content against configured protect regex rules before restoring. Users should upgrade to the latest patched version.

Workarounds

No official workaround available.

Fix

To avoid this vulnerability:

Upgrade to TinyMCE 8.5.1 or higher.
Upgrade to TinyMCE 7.9.3 or higher.
Upgrade to TinyMCE 5.11.1 LTS or higher for TinyMCE 5.x (only available as part of commercial long-term support contract).

Acknowledgements

Tiny thanks Ivan Babenko for their help identifying this vulnerability.

Severity

  • CVSS Score: 8.7 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


TinyMCE Cross-Site Scripting (XSS) vulnerability using media plugin data-mce-object injection

CVE-2026-47761 / GHSA-vg35-5wq7-3x7w

More information

Details

Impact

Stored XSS vulnerability in the media plugin. Attackers can inject malicious scripts via crafted data-mce-* attributes, which are executed when content is rendered. Impacts users of TinyMCE with the media plugin enabled.

Patches

This vulnerability has been patched in TinyMCE 8.5.1, TinyMCE 7.9.3 and TinyMCE 5.11.1 LTS by ensuring that, when using the media plugin, any content with data-mce-object and data-mce-p-* attributes are properly sanitized.

Workarounds

No official workaround available.

Fix

To avoid this vulnerability:

  • Upgrade to TinyMCE 8.5.1 or higher.
  • Upgrade to TinyMCE 7.9.3 or higher.
  • Upgrade to TinyMCE 5.11.1 LTS or higher for TinyMCE 5.x (only available as part of commercial long-term support contract).
Acknowledgements

Tiny thanks Aymane MAZGUITI and Ange Primiterra for their help identifying this vulnerability.

Severity

  • CVSS Score: 8.7 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

tinymce/tinymce-dist (tinymce/tinymce)

v7.9.3

Compare Source


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants