CVE-2026-47759 - TinyMCE data-mce attribute XSS
TinyMCE disclosed a stored XSS issue where unsafe data-mce-* attributes such
as data-mce-href, data-mce-src, and data-mce-style could survive editor
parsing and later override sanitized attributes during serialization. The risky
shape is any application that lets less-trusted users submit rich HTML through
TinyMCE and then renders that stored content to other users.
Treat this as a stored-content remediation, not only a dependency bump. The PR should upgrade every TinyMCE distribution the product serves, prove stored HTML is re-sanitized or re-rendered through patched code, and preserve any existing server-side HTML sanitizer instead of relying on the editor alone.
When to use it
Use this recipe when a product uses TinyMCE for multi-user rich-text authoring
and stored HTML can be viewed by admins, reviewers, customers, support teams,
email recipients, exports, or anonymous visitors. It is designed for
source-code remediation, editor/runtime upgrade review, server-side sanitizer
evidence, stored-content cleanup planning, and proof that TinyMCE internal
data-mce-* attributes cannot become scriptable content.
Inputs
- TinyMCE version, package manager and lockfile state, vendored/CDN assets, editor configuration, enabled plugins, sanitizer configuration, CSP, and SBOM or generated dependency reports.
- Source paths that configure TinyMCE, accept rich text, store HTML, sanitize or render stored content, generate previews, exports, emails, PDFs, or mobile webview content.
- Regression fixtures for benign rich text,
data-mce-href,data-mce-src,data-mce-style, event handlers, JavaScript URLs, unsafe CSS, and stripped editor-internal attributes. - Boundary evidence: author/viewer roles, tenant/admin crossing, stored-content migration plan, content ownership, logs, rollout owner, and operator cleanup requirements.
Affected versions
- Vulnerable packages:
tinymce(npm),tinymce/tinymce(Composer), andTinyMCE(NuGet) - Vulnerable ranges:
<5.11.1,>=6.0.0, <7.9.3, and>=8.0.0, <8.5.1 - Fixed versions:
5.11.1LTS,7.9.3,8.5.1, or later on the selected release line - Affected attributes:
data-mce-href,data-mce-src,data-mce-style, and adjacentdata-mce-*editor-internal attributes that can influence serializedhref,src, orstyle - Affected content: stored rich-text HTML that is rendered back to authors, reviewers, admins, customers, or anonymous visitors
Indicator-of-exposure
- The repository depends on, vendors, bundles, CDN-pins, or deploys TinyMCE in an affected range.
- Users outside the trusted developer/operator group can submit TinyMCE-backed rich text, CMS pages, product descriptions, comments, tickets, emails, templates, notifications, wiki pages, admin notes, or help-center content.
- Stored TinyMCE HTML is rendered to other users through server templates, client hydration, preview routes, exports, emails, PDFs, or mobile/webview clients.
- The application trusts client-side TinyMCE filtering without a server-side sanitizer or stores raw editor HTML for later rendering.
- Content security policy, iframe isolation, or sanitizer tests are absent or
do not cover
data-mce-*attributes.
Quick checks:
rg -n "tinymce|TinyMCE|data-mce-|mce:|valid_elements|extended_valid_elements|media|link|image|rich text|wysiwyg|sanitize|DOMPurify|HtmlSanitizer|bleach|sanitize-html" .
npm ls tinymce
pnpm why tinymce
yarn why tinymce
composer show tinymce/tinymce
dotnet list package | rg -i "tinymce"
rg -n "tinymce|TinyMCE|data-mce-|extended_valid_elements|valid_elements" package.json package-lock.json pnpm-lock.yaml yarn.lock composer.json composer.lock *.csproj static public assets src app resources templates . 2>/dev/null
Windows:
rg -n "tinymce|TinyMCE|data-mce-|mce:|valid_elements|extended_valid_elements|media|link|image|rich text|wysiwyg|sanitize|DOMPurify|HtmlSanitizer|bleach|sanitize-html" .
npm ls tinymce
pnpm why tinymce
yarn why tinymce
composer show tinymce/tinymce
dotnet list package | rg -i "tinymce"
rg -n "tinymce|TinyMCE|data-mce-|extended_valid_elements|valid_elements" package.json package-lock.json pnpm-lock.yaml yarn.lock composer.json composer.lock *.csproj static public assets src app resources templates .
Do not paste exploit HTML into production editors, publish test XSS content, open stored customer content in a privileged browser, or dump user-authored HTML during triage.
Remediation strategy
- Upgrade every controlled TinyMCE package, vendored asset, CDN URL, lockfile,
SBOM, generated dependency report, and rendered deployment artifact to
5.11.1LTS,7.9.3+, or8.5.1+on the selected release line. - Prefer
8.5.1+for active 8.x deployments and7.9.3+for active 7.x deployments. Treat TinyMCE 6.x as needing a supported-line migration because the fixed ranges published for this advisory are 5 LTS, 7.x, and 8.x. - Keep or add server-side HTML sanitization for stored content. The sanitizer
should strip TinyMCE-internal
data-mce-*attributes unless there is a narrowly reviewed business need. - Re-sanitize or safely re-save existing stored rich-text records that may have been authored before the upgrade. If bulk rewrite is unsafe, add an on-read/on-render sanitizer and document the cleanup backlog.
- Add regression tests that pass benign rich text but reject or strip
data-mce-href,data-mce-src,data-mce-style, event handlers, JavaScript URLs, unsafe CSS, and nested editor-internal attributes before content reaches another user’s browser. - Review CSP, iframe sandboxing, preview routes, export/render pipelines, and email/PDF renderers so the fix is not limited to the edit screen.
The prompt
You are remediating CVE-2026-47759 / GHSA-q742-qvgc-gc2f, a TinyMCE stored
XSS issue where unsafe `data-mce-*` attributes can override sanitized `href`,
`src`, or `style` values during editor serialization. Produce exactly one
output:
- A reviewer-ready PR/change request that upgrades TinyMCE, preserves
server-side HTML sanitization, adds stored-content regression coverage,
refreshes generated artifacts, and documents content cleanup, or
- TRIAGE.md if this repository does not control an affected TinyMCE runtime,
package, vendored asset, CDN pin, or rich-text rendering surface.
## Rules
- Scope only CVE-2026-47759 / GHSA-q742-qvgc-gc2f and directly related
TinyMCE stored-content sanitization and rendering controls.
- Treat stored rich text, customer content, admin notes, email bodies, CMS
pages, session cookies, auth tokens, screenshots, exports, and rendered
previews as sensitive.
- Do not create or publish exploit pages, execute JavaScript payloads, paste
test XSS into production editors, use privileged browsers for unsafe
previews, or dump customer-authored HTML into logs or commits.
- Do not remove server-side sanitizers, CSP, iframe isolation, content approval,
audit logs, or rich-text tests to make the upgrade pass.
- Do not auto-merge.
## Steps
1. Inventory every TinyMCE reference controlled by this repository: npm,
Composer, NuGet, lockfiles, vendored static assets, CDN URLs, package
managers, Docker images, CMS plugins, admin bundles, mobile/webview assets,
SBOMs, generated dependency reports, and docs that pin versions.
2. Determine every resolved TinyMCE version. A target is vulnerable if it
resolves to `<5.11.1`, `>=6.0.0, <7.9.3`, or `>=8.0.0, <8.5.1`.
3. Search for rich-text surfaces and render paths: WYSIWYG editors, CMS pages,
comments, tickets, product descriptions, notifications, email templates,
markdown/HTML imports, preview routes, exports, PDFs, mobile/webviews,
`valid_elements`, `extended_valid_elements`, `data-mce-*`, sanitizer
configuration, CSP, iframe sandboxing, and stored-content migrations.
4. If the repository only contains documentation or an external vendor owns
TinyMCE, stop with `TRIAGE.md` listing checked files, runtime owner, and the
required fixed version.
5. Upgrade all controlled TinyMCE references:
- 5.x LTS deployments to `5.11.1+` when a commercial LTS path is available;
- 7.x deployments to `7.9.3+`;
- 8.x deployments to `8.5.1+`;
- 6.x deployments to a supported fixed line, normally `7.9.3+` or `8.5.1+`.
6. Refresh lockfiles, package-manager metadata, vendored assets, CDN hashes,
image digests, rendered deployment artifacts, SBOMs, dependency reports, and
release documentation.
7. Verify or patch stored-content sanitization:
- sanitize on the server before storage or before rendering;
- strip TinyMCE-internal `data-mce-*` attributes unless explicitly needed;
- reject or neutralize JavaScript URLs, event handlers, unsafe CSS, SVG
script vectors, and nested editor-internal attributes;
- ensure preview, export, email, PDF, and mobile/webview renderers use the
same sanitized content boundary as normal page views.
8. Add safe regression coverage without executing payloads:
- dependency policy rejects affected TinyMCE versions;
- benign rich text still renders;
- `data-mce-href`, `data-mce-src`, and `data-mce-style` are stripped or
cannot override safe `href`, `src`, and `style`;
- sanitizer output contains no scriptable URLs, event handlers, or
unauthorized `data-mce-*` attributes;
- logs and test snapshots do not contain customer content or session data.
9. Add a PR body section named `CVE-2026-47759 operator actions` that states:
- TinyMCE versions before and after;
- every rich-text authoring surface and rendering surface checked;
- whether server-side sanitization was already present or added;
- whether existing stored rich text must be re-sanitized, migrated, or
cleaned on read;
- whether CSP, iframe sandboxing, email/PDF renderers, or mobile/webview
clients need follow-up;
- which validation commands passed.
10. Run available validation: package install, lockfile integrity, frontend
tests, sanitizer unit tests, rich-text render tests, lint/typecheck,
browser smoke tests, container build, SBOM refresh, and dependency/security
scans.
11. Use PR title:
`fix(sec): remediate CVE-2026-47759 in TinyMCE`
## Stop conditions
- No affected TinyMCE package, vendored asset, CDN pin, or rich-text rendering
surface is controlled by this repository.
- The TinyMCE runtime or CMS plugin is owned by another team or vendor; name
the owner and required fixed versions in `TRIAGE.md`.
- Moving from TinyMCE 6.x or unsupported 5.x requires a broader product
migration that cannot fit in this PR.
- Validating exposure would require publishing exploit HTML, using production
content, opening unsafe previews in a privileged browser, or exposing stored
customer data.
- Validation fails for unrelated pre-existing reasons; document those failures
instead of broadening scope.
Output contract
- A reviewer-ready PR or change request that upgrades TinyMCE, preserves or adds server-side sanitization, adds stored-content regression tests, refreshes generated artifacts, and documents cleanup/operator actions.
- Or a
TRIAGE.mdfile that lists inspected packages/assets/config, owner, observed version, rich-text authoring/rendering boundary, required fix, and residual risk. - The output must include exact validation commands and must not publish exploit HTML, expose customer-authored content, weaken sanitizers/CSP, or open unsafe content in privileged sessions.
Verification - what the reviewer looks for
- No controlled npm, Composer, NuGet, vendored asset, CDN URL, image, SBOM, or
generated report resolves TinyMCE to
<5.11.1,>=6.0.0, <7.9.3, or>=8.0.0, <8.5.1. - Stored rich-text render paths use patched TinyMCE assets and server-side sanitization or an equivalent trusted render boundary.
- Regression tests show
data-mce-href,data-mce-src, anddata-mce-stylecannot override sanitized attributes. - Existing content cleanup is either completed, safely handled on render, or explicitly tracked as an operator action.
- The PR avoids exploit execution and does not expose customer-authored HTML, cookies, tokens, screenshots, exports, or admin-only content.
Related recipes
- Source code injection sink audit
- Source code secrets and data exposure audit
- OWASP Top 10 2026 audit
- NIST SSDF repository evidence check
Watch for
- Updating npm while a CMS plugin, Composer package, NuGet package, vendored asset, CDN URL, or static bundle still serves an affected TinyMCE build.
- Treating TinyMCE client-side filtering as a replacement for server-side sanitization.
- Sanitizing only edit screens while previews, public pages, email, PDF export, or mobile/webview clients render older stored HTML.
- Leaving
extended_valid_elementsrules that preserve broaddata-mce-*,style, or URL-bearing attributes for untrusted authors. - Snapshot tests that commit real customer content or privileged rendered HTML.
References
- GitHub Advisory Database: https://github.com/advisories/GHSA-q742-qvgc-gc2f
- TinyMCE 7.9.3 release notes: https://www.tiny.cloud/docs/tinymce/7/7.9.3-release-notes/#overview
- TinyMCE 8.5.1 release notes: https://www.tiny.cloud/docs/tinymce/8/8.5.1-release-notes/#overview
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-47759