CVE-2026-47759 - TinyMCE data-mce attribute XSS

TinyMCE disclosed a stored XSS issue where unsafe data-mce-* attributes such as data-mce-href, data-mce-src, and data-mce-style could survive editor parsing and later override sanitized attributes during serialization. The risky shape is any application that lets less-trusted users submit rich HTML through TinyMCE and then renders that stored content to other users.

Treat this as a stored-content remediation, not only a dependency bump. The PR should upgrade every TinyMCE distribution the product serves, prove stored HTML is re-sanitized or re-rendered through patched code, and preserve any existing server-side HTML sanitizer instead of relying on the editor alone.

When to use it

Use this recipe when a product uses TinyMCE for multi-user rich-text authoring and stored HTML can be viewed by admins, reviewers, customers, support teams, email recipients, exports, or anonymous visitors. It is designed for source-code remediation, editor/runtime upgrade review, server-side sanitizer evidence, stored-content cleanup planning, and proof that TinyMCE internal data-mce-* attributes cannot become scriptable content.

Inputs

  • TinyMCE version, package manager and lockfile state, vendored/CDN assets, editor configuration, enabled plugins, sanitizer configuration, CSP, and SBOM or generated dependency reports.
  • Source paths that configure TinyMCE, accept rich text, store HTML, sanitize or render stored content, generate previews, exports, emails, PDFs, or mobile webview content.
  • Regression fixtures for benign rich text, data-mce-href, data-mce-src, data-mce-style, event handlers, JavaScript URLs, unsafe CSS, and stripped editor-internal attributes.
  • Boundary evidence: author/viewer roles, tenant/admin crossing, stored-content migration plan, content ownership, logs, rollout owner, and operator cleanup requirements.

Affected versions

  • Vulnerable packages: tinymce (npm), tinymce/tinymce (Composer), and TinyMCE (NuGet)
  • Vulnerable ranges: <5.11.1, >=6.0.0, <7.9.3, and >=8.0.0, <8.5.1
  • Fixed versions: 5.11.1 LTS, 7.9.3, 8.5.1, or later on the selected release line
  • Affected attributes: data-mce-href, data-mce-src, data-mce-style, and adjacent data-mce-* editor-internal attributes that can influence serialized href, src, or style
  • Affected content: stored rich-text HTML that is rendered back to authors, reviewers, admins, customers, or anonymous visitors

Indicator-of-exposure

  • The repository depends on, vendors, bundles, CDN-pins, or deploys TinyMCE in an affected range.
  • Users outside the trusted developer/operator group can submit TinyMCE-backed rich text, CMS pages, product descriptions, comments, tickets, emails, templates, notifications, wiki pages, admin notes, or help-center content.
  • Stored TinyMCE HTML is rendered to other users through server templates, client hydration, preview routes, exports, emails, PDFs, or mobile/webview clients.
  • The application trusts client-side TinyMCE filtering without a server-side sanitizer or stores raw editor HTML for later rendering.
  • Content security policy, iframe isolation, or sanitizer tests are absent or do not cover data-mce-* attributes.

Quick checks:

rg -n "tinymce|TinyMCE|data-mce-|mce:|valid_elements|extended_valid_elements|media|link|image|rich text|wysiwyg|sanitize|DOMPurify|HtmlSanitizer|bleach|sanitize-html" .
npm ls tinymce
pnpm why tinymce
yarn why tinymce
composer show tinymce/tinymce
dotnet list package | rg -i "tinymce"
rg -n "tinymce|TinyMCE|data-mce-|extended_valid_elements|valid_elements" package.json package-lock.json pnpm-lock.yaml yarn.lock composer.json composer.lock *.csproj static public assets src app resources templates . 2>/dev/null

Windows:

rg -n "tinymce|TinyMCE|data-mce-|mce:|valid_elements|extended_valid_elements|media|link|image|rich text|wysiwyg|sanitize|DOMPurify|HtmlSanitizer|bleach|sanitize-html" .
npm ls tinymce
pnpm why tinymce
yarn why tinymce
composer show tinymce/tinymce
dotnet list package | rg -i "tinymce"
rg -n "tinymce|TinyMCE|data-mce-|extended_valid_elements|valid_elements" package.json package-lock.json pnpm-lock.yaml yarn.lock composer.json composer.lock *.csproj static public assets src app resources templates .

Do not paste exploit HTML into production editors, publish test XSS content, open stored customer content in a privileged browser, or dump user-authored HTML during triage.

Remediation strategy

  • Upgrade every controlled TinyMCE package, vendored asset, CDN URL, lockfile, SBOM, generated dependency report, and rendered deployment artifact to 5.11.1 LTS, 7.9.3+, or 8.5.1+ on the selected release line.
  • Prefer 8.5.1+ for active 8.x deployments and 7.9.3+ for active 7.x deployments. Treat TinyMCE 6.x as needing a supported-line migration because the fixed ranges published for this advisory are 5 LTS, 7.x, and 8.x.
  • Keep or add server-side HTML sanitization for stored content. The sanitizer should strip TinyMCE-internal data-mce-* attributes unless there is a narrowly reviewed business need.
  • Re-sanitize or safely re-save existing stored rich-text records that may have been authored before the upgrade. If bulk rewrite is unsafe, add an on-read/on-render sanitizer and document the cleanup backlog.
  • Add regression tests that pass benign rich text but reject or strip data-mce-href, data-mce-src, data-mce-style, event handlers, JavaScript URLs, unsafe CSS, and nested editor-internal attributes before content reaches another user’s browser.
  • Review CSP, iframe sandboxing, preview routes, export/render pipelines, and email/PDF renderers so the fix is not limited to the edit screen.

The prompt

You are remediating CVE-2026-47759 / GHSA-q742-qvgc-gc2f, a TinyMCE stored
XSS issue where unsafe `data-mce-*` attributes can override sanitized `href`,
`src`, or `style` values during editor serialization. Produce exactly one
output:

- A reviewer-ready PR/change request that upgrades TinyMCE, preserves
  server-side HTML sanitization, adds stored-content regression coverage,
  refreshes generated artifacts, and documents content cleanup, or
- TRIAGE.md if this repository does not control an affected TinyMCE runtime,
  package, vendored asset, CDN pin, or rich-text rendering surface.

## Rules

- Scope only CVE-2026-47759 / GHSA-q742-qvgc-gc2f and directly related
  TinyMCE stored-content sanitization and rendering controls.
- Treat stored rich text, customer content, admin notes, email bodies, CMS
  pages, session cookies, auth tokens, screenshots, exports, and rendered
  previews as sensitive.
- Do not create or publish exploit pages, execute JavaScript payloads, paste
  test XSS into production editors, use privileged browsers for unsafe
  previews, or dump customer-authored HTML into logs or commits.
- Do not remove server-side sanitizers, CSP, iframe isolation, content approval,
  audit logs, or rich-text tests to make the upgrade pass.
- Do not auto-merge.

## Steps

1. Inventory every TinyMCE reference controlled by this repository: npm,
   Composer, NuGet, lockfiles, vendored static assets, CDN URLs, package
   managers, Docker images, CMS plugins, admin bundles, mobile/webview assets,
   SBOMs, generated dependency reports, and docs that pin versions.
2. Determine every resolved TinyMCE version. A target is vulnerable if it
   resolves to `<5.11.1`, `>=6.0.0, <7.9.3`, or `>=8.0.0, <8.5.1`.
3. Search for rich-text surfaces and render paths: WYSIWYG editors, CMS pages,
   comments, tickets, product descriptions, notifications, email templates,
   markdown/HTML imports, preview routes, exports, PDFs, mobile/webviews,
   `valid_elements`, `extended_valid_elements`, `data-mce-*`, sanitizer
   configuration, CSP, iframe sandboxing, and stored-content migrations.
4. If the repository only contains documentation or an external vendor owns
   TinyMCE, stop with `TRIAGE.md` listing checked files, runtime owner, and the
   required fixed version.
5. Upgrade all controlled TinyMCE references:
   - 5.x LTS deployments to `5.11.1+` when a commercial LTS path is available;
   - 7.x deployments to `7.9.3+`;
   - 8.x deployments to `8.5.1+`;
   - 6.x deployments to a supported fixed line, normally `7.9.3+` or `8.5.1+`.
6. Refresh lockfiles, package-manager metadata, vendored assets, CDN hashes,
   image digests, rendered deployment artifacts, SBOMs, dependency reports, and
   release documentation.
7. Verify or patch stored-content sanitization:
   - sanitize on the server before storage or before rendering;
   - strip TinyMCE-internal `data-mce-*` attributes unless explicitly needed;
   - reject or neutralize JavaScript URLs, event handlers, unsafe CSS, SVG
     script vectors, and nested editor-internal attributes;
   - ensure preview, export, email, PDF, and mobile/webview renderers use the
     same sanitized content boundary as normal page views.
8. Add safe regression coverage without executing payloads:
   - dependency policy rejects affected TinyMCE versions;
   - benign rich text still renders;
   - `data-mce-href`, `data-mce-src`, and `data-mce-style` are stripped or
     cannot override safe `href`, `src`, and `style`;
   - sanitizer output contains no scriptable URLs, event handlers, or
     unauthorized `data-mce-*` attributes;
   - logs and test snapshots do not contain customer content or session data.
9. Add a PR body section named `CVE-2026-47759 operator actions` that states:
   - TinyMCE versions before and after;
   - every rich-text authoring surface and rendering surface checked;
   - whether server-side sanitization was already present or added;
   - whether existing stored rich text must be re-sanitized, migrated, or
     cleaned on read;
   - whether CSP, iframe sandboxing, email/PDF renderers, or mobile/webview
     clients need follow-up;
   - which validation commands passed.
10. Run available validation: package install, lockfile integrity, frontend
    tests, sanitizer unit tests, rich-text render tests, lint/typecheck,
    browser smoke tests, container build, SBOM refresh, and dependency/security
    scans.
11. Use PR title:
    `fix(sec): remediate CVE-2026-47759 in TinyMCE`

## Stop conditions

- No affected TinyMCE package, vendored asset, CDN pin, or rich-text rendering
  surface is controlled by this repository.
- The TinyMCE runtime or CMS plugin is owned by another team or vendor; name
  the owner and required fixed versions in `TRIAGE.md`.
- Moving from TinyMCE 6.x or unsupported 5.x requires a broader product
  migration that cannot fit in this PR.
- Validating exposure would require publishing exploit HTML, using production
  content, opening unsafe previews in a privileged browser, or exposing stored
  customer data.
- Validation fails for unrelated pre-existing reasons; document those failures
  instead of broadening scope.

Output contract

  • A reviewer-ready PR or change request that upgrades TinyMCE, preserves or adds server-side sanitization, adds stored-content regression tests, refreshes generated artifacts, and documents cleanup/operator actions.
  • Or a TRIAGE.md file that lists inspected packages/assets/config, owner, observed version, rich-text authoring/rendering boundary, required fix, and residual risk.
  • The output must include exact validation commands and must not publish exploit HTML, expose customer-authored content, weaken sanitizers/CSP, or open unsafe content in privileged sessions.

Verification - what the reviewer looks for

  • No controlled npm, Composer, NuGet, vendored asset, CDN URL, image, SBOM, or generated report resolves TinyMCE to <5.11.1, >=6.0.0, <7.9.3, or >=8.0.0, <8.5.1.
  • Stored rich-text render paths use patched TinyMCE assets and server-side sanitization or an equivalent trusted render boundary.
  • Regression tests show data-mce-href, data-mce-src, and data-mce-style cannot override sanitized attributes.
  • Existing content cleanup is either completed, safely handled on render, or explicitly tracked as an operator action.
  • The PR avoids exploit execution and does not expose customer-authored HTML, cookies, tokens, screenshots, exports, or admin-only content.

Watch for

  • Updating npm while a CMS plugin, Composer package, NuGet package, vendored asset, CDN URL, or static bundle still serves an affected TinyMCE build.
  • Treating TinyMCE client-side filtering as a replacement for server-side sanitization.
  • Sanitizing only edit screens while previews, public pages, email, PDF export, or mobile/webview clients render older stored HTML.
  • Leaving extended_valid_elements rules that preserve broad data-mce-*, style, or URL-bearing attributes for untrusted authors.
  • Snapshot tests that commit real customer content or privileged rendered HTML.

References