CVE-2026-47761 - TinyMCE media data-mce-object XSS

TinyMCE disclosed a stored XSS issue in the media plugin. Crafted data-mce-object and data-mce-p-* attributes can survive rich-text handling and execute script when the resulting content is rendered. The risky shape is a multi-user application where less-trusted authors can submit embedded media or rich HTML that is later viewed by admins, reviewers, customers, or anonymous visitors.

Treat this as a stored-media rendering remediation, not only a package bump. The PR should upgrade every TinyMCE distribution, prove the media plugin no longer preserves scriptable internal attributes, and keep server-side HTML sanitization or trusted rendering boundaries in place.

When to use it

Use this recipe when a product uses TinyMCE’s media plugin or rich-media content paths and stored editor output can be viewed by other users, admins, customers, email recipients, exports, or mobile/webview clients. It is designed for source-code remediation, media-plugin upgrade review, server-side sanitizer evidence, stored-media cleanup planning, and proof that TinyMCE media-internal attributes cannot become scriptable object/embed content.

Inputs

  • TinyMCE version, package manager and lockfile state, vendored/CDN assets, media plugin configuration, embed policy, sanitizer configuration, CSP, iframe sandboxing, and generated dependency reports.
  • Source paths that configure TinyMCE media, accept rich media, store HTML, sanitize or render content, generate previews, exports, emails, PDFs, or mobile/webview content.
  • Regression fixtures for benign media embeds, data-mce-object, data-mce-p-*, untrusted object/embed markup, JavaScript URLs, event handlers, unsafe CSS, and stripped editor-internal attributes.
  • Boundary evidence: media authors, privileged viewers, tenant crossing, stored-content cleanup plan, content ownership, logs, and rollout owner.

Affected versions

  • Vulnerable packages: tinymce (npm), tinymce/tinymce (Composer), and TinyMCE (NuGet)
  • Vulnerable ranges: <5.11.1, >=6.0.0, <7.9.3, and >=8.0.0, <8.5.1
  • Fixed versions: 5.11.1 LTS, 7.9.3, 8.5.1, or later on the selected release line
  • Affected plugin: TinyMCE media plugin
  • Affected attribute family: data-mce-object and data-mce-p-*

Indicator-of-exposure

  • The repository depends on, vendors, bundles, CDN-pins, or deploys TinyMCE in an affected range.
  • TinyMCE’s media plugin is enabled directly or through a preset/editor bundle.
  • Users outside the trusted developer/operator group can submit or import rich media content, CMS pages, product descriptions, comments, tickets, marketing pages, help-center content, email templates, or admin notes.
  • Stored TinyMCE content is rendered to other users through normal pages, previews, admin review screens, exports, emails, PDFs, mobile/webviews, or customer support tools.
  • Server-side sanitization, CSP, iframe sandboxing, or render tests do not cover TinyMCE internal data-mce-object and data-mce-p-* attributes.

Quick checks:

rg -n "tinymce|TinyMCE|plugins:\\s*.*media|media_live_embeds|data-mce-object|data-mce-p-|extended_valid_elements|valid_elements|sanitize|DOMPurify|HtmlSanitizer|bleach|sanitize-html|wysiwyg|rich text" .
npm ls tinymce
pnpm why tinymce
yarn why tinymce
composer show tinymce/tinymce
dotnet list package | rg -i "tinymce"
rg -n "tinymce|TinyMCE|media|data-mce-object|data-mce-p-|extended_valid_elements|valid_elements" package.json package-lock.json pnpm-lock.yaml yarn.lock composer.json composer.lock *.csproj static public assets src app resources templates . 2>/dev/null

Windows:

rg -n "tinymce|TinyMCE|plugins:\\s*.*media|media_live_embeds|data-mce-object|data-mce-p-|extended_valid_elements|valid_elements|sanitize|DOMPurify|HtmlSanitizer|bleach|sanitize-html|wysiwyg|rich text" .
npm ls tinymce
pnpm why tinymce
yarn why tinymce
composer show tinymce/tinymce
dotnet list package | rg -i "tinymce"
rg -n "tinymce|TinyMCE|media|data-mce-object|data-mce-p-|extended_valid_elements|valid_elements" package.json package-lock.json pnpm-lock.yaml yarn.lock composer.json composer.lock *.csproj static public assets src app resources templates .

Do not publish exploit media HTML, open unsafe stored content in a privileged browser, paste payloads into production editors, or dump user-authored content into logs or commits.

Remediation strategy

  • Upgrade every controlled TinyMCE package, vendored asset, CDN URL, lockfile, SBOM, generated dependency report, and rendered deployment artifact to 5.11.1 LTS, 7.9.3+, or 8.5.1+ on the selected release line.
  • Prefer 8.5.1+ for active 8.x deployments and 7.9.3+ for active 7.x deployments. Treat 6.x as needing a supported-line migration because the published fixed ranges are 5 LTS, 7.x, and 8.x.
  • Keep or add server-side HTML sanitization for stored media content. Strip TinyMCE-internal data-mce-object and data-mce-p-* attributes unless a narrowly reviewed trusted-author use case requires them.
  • Re-sanitize existing stored media content, or enforce on-read/on-render sanitization until a migration can safely clean old records.
  • Add regression tests for media-plugin content that preserve benign embeds but strip or neutralize scriptable data-mce-object, data-mce-p-*, event handlers, JavaScript URLs, unsafe CSS, and SVG/script vectors before content reaches another user’s browser.
  • If CVE-2026-47759 is also in scope, combine validation and content cleanup so both TinyMCE attribute advisories are remediated in one reviewed upgrade path.

The prompt

You are remediating CVE-2026-47761 / GHSA-vg35-5wq7-3x7w, a TinyMCE media
plugin stored XSS issue involving `data-mce-object` and `data-mce-p-*`
attributes. Produce exactly one output:

- A reviewer-ready PR/change request that upgrades TinyMCE, preserves or adds
  server-side sanitization for rich media, refreshes generated artifacts, adds
  safe regression coverage, and documents stored-content cleanup, or
- TRIAGE.md if this repository does not control an affected TinyMCE runtime,
  package, vendored asset, CDN pin, media plugin use, or rich-media rendering
  surface.

## Rules

- Scope only CVE-2026-47761 / GHSA-vg35-5wq7-3x7w and directly related TinyMCE
  media-plugin sanitization and rendering controls. If CVE-2026-47759 is
  present, note the shared upgrade path without expanding into unrelated editor
  changes.
- Treat stored rich text, media embeds, customer content, admin notes, email
  bodies, CMS pages, session cookies, auth tokens, screenshots, exports, and
  rendered previews as sensitive.
- Do not create exploit pages, execute JavaScript payloads, paste test XSS into
  production editors, use privileged browsers for unsafe previews, or commit
  customer-authored HTML.
- Do not remove server-side sanitizers, CSP, iframe isolation, content approval,
  audit logs, or rich-media tests to make the upgrade pass.
- Do not auto-merge.

## Steps

1. Inventory every TinyMCE reference controlled by this repository: npm,
   Composer, NuGet, lockfiles, vendored static assets, CDN URLs, package
   managers, Docker images, CMS plugins, admin bundles, mobile/webview assets,
   SBOMs, generated dependency reports, and docs that pin versions.
2. Determine every resolved TinyMCE version. A target is vulnerable if it
   resolves to `<5.11.1`, `>=6.0.0, <7.9.3`, or `>=8.0.0, <8.5.1`.
3. Search for media-plugin usage and render paths:
   `plugins: "media"`, media presets, `media_live_embeds`, embed importers,
   CMS media blocks, comments, tickets, product descriptions, previews, exports,
   emails, PDFs, mobile/webviews, `valid_elements`, `extended_valid_elements`,
   `data-mce-object`, `data-mce-p-*`, sanitizer configuration, CSP, and iframe
   sandboxing.
4. If the repository only contains documentation or an external vendor owns
   TinyMCE, stop with `TRIAGE.md` listing checked files, runtime owner, and the
   required fixed version.
5. Upgrade all controlled TinyMCE references:
   - 5.x LTS deployments to `5.11.1+` when a commercial LTS path is available;
   - 7.x deployments to `7.9.3+`;
   - 8.x deployments to `8.5.1+`;
   - 6.x deployments to a supported fixed line, normally `7.9.3+` or `8.5.1+`.
6. Refresh lockfiles, package-manager metadata, vendored assets, CDN hashes,
   image digests, rendered deployment artifacts, SBOMs, dependency reports, and
   release documentation.
7. Verify or patch stored-media sanitization:
   - sanitize on the server before storage or before rendering;
   - strip TinyMCE-internal `data-mce-object` and `data-mce-p-*` attributes for
     untrusted authors;
   - reject or neutralize JavaScript URLs, event handlers, unsafe CSS, SVG
     script vectors, untrusted iframe/object/embed markup, and nested editor
     internal attributes;
   - ensure preview, export, email, PDF, and mobile/webview renderers use the
     same sanitized content boundary as normal page views.
8. Add safe regression coverage without executing payloads:
   - dependency policy rejects affected TinyMCE versions;
   - benign media embeds still render;
   - `data-mce-object` and `data-mce-p-*` are stripped or cannot execute;
   - sanitizer output contains no scriptable URLs, event handlers, untrusted
     object/embed markup, or unauthorized `data-mce-*` attributes;
   - logs and test snapshots do not contain customer content or session data.
9. Add a PR body section named `CVE-2026-47761 operator actions` that states:
   - TinyMCE versions before and after;
   - whether the media plugin is enabled and where;
   - every rich-media authoring and rendering surface checked;
   - whether server-side sanitization was already present or added;
   - whether existing stored media content must be re-sanitized, migrated, or
     cleaned on read;
   - whether CSP, iframe sandboxing, email/PDF renderers, or mobile/webview
     clients need follow-up;
   - which validation commands passed.
10. Run available validation: package install, lockfile integrity, frontend
    tests, sanitizer unit tests, media render tests, lint/typecheck, browser
    smoke tests, container build, SBOM refresh, and dependency/security scans.
11. Use PR title:
    `fix(sec): remediate CVE-2026-47761 in TinyMCE media plugin`.

## Stop conditions

- No affected TinyMCE package, vendored asset, CDN pin, media plugin use, or
  rich-media rendering surface is controlled by this repository.
- The TinyMCE runtime or CMS plugin is owned by another team or vendor; name
  the owner and required fixed versions in `TRIAGE.md`.
- Moving from TinyMCE 6.x or unsupported 5.x requires a broader product
  migration that cannot fit in this PR.
- Validating exposure would require publishing exploit HTML, using production
  content, opening unsafe previews in a privileged browser, or exposing stored
  customer data.
- Validation fails for unrelated pre-existing reasons; document those failures
  instead of broadening scope.

Output contract

  • A reviewer-ready PR or change request that upgrades TinyMCE, preserves or adds rich-media sanitizer coverage, adds safe media-plugin regression tests, refreshes generated artifacts, and documents stored-media cleanup.
  • Or a TRIAGE.md file that lists inspected packages/assets/config, owner, observed version, media-plugin use, rich-media render boundary, required fix, and residual risk.
  • The output must include exact validation commands and must not execute XSS payloads, publish exploit media HTML, expose customer-authored content, or remove sanitizer/CSP/iframe protections.

Verification - what the reviewer looks for

  • No controlled npm, Composer, NuGet, vendored asset, CDN URL, image, SBOM, or generated report resolves TinyMCE to <5.11.1, >=6.0.0, <7.9.3, or >=8.0.0, <8.5.1.
  • Media-plugin rich-text render paths use patched TinyMCE assets and server-side sanitization or an equivalent trusted render boundary.
  • Regression tests show data-mce-object and data-mce-p-* are stripped, rejected, or rendered inert for untrusted authors.
  • Existing media content cleanup is either completed, safely handled on render, or explicitly tracked as an operator action.
  • The PR avoids exploit execution and does not expose customer-authored HTML, cookies, tokens, screenshots, exports, or admin-only content.

Watch for

  • Updating npm while a CMS plugin, Composer package, NuGet package, vendored asset, CDN URL, or static bundle still serves an affected TinyMCE build.
  • Fixing text editor screens while media previews, public pages, email, PDF export, or mobile/webview clients render older stored HTML.
  • Leaving extended_valid_elements rules that preserve broad data-mce-*, object/embed markup, style, or URL-bearing attributes for untrusted authors.
  • Assuming CVE-2026-47759 coverage automatically proves this media-plugin issue is fixed; check data-mce-object and data-mce-p-* explicitly.
  • Snapshot tests that commit real customer content or privileged rendered HTML.

References