CVE-2026-47761 - TinyMCE media data-mce-object XSS
TinyMCE disclosed a stored XSS issue in the media plugin. Crafted
data-mce-object and data-mce-p-* attributes can survive rich-text handling
and execute script when the resulting content is rendered. The risky shape is a
multi-user application where less-trusted authors can submit embedded media or
rich HTML that is later viewed by admins, reviewers, customers, or anonymous
visitors.
Treat this as a stored-media rendering remediation, not only a package bump. The PR should upgrade every TinyMCE distribution, prove the media plugin no longer preserves scriptable internal attributes, and keep server-side HTML sanitization or trusted rendering boundaries in place.
When to use it
Use this recipe when a product uses TinyMCE’s media plugin or rich-media content paths and stored editor output can be viewed by other users, admins, customers, email recipients, exports, or mobile/webview clients. It is designed for source-code remediation, media-plugin upgrade review, server-side sanitizer evidence, stored-media cleanup planning, and proof that TinyMCE media-internal attributes cannot become scriptable object/embed content.
Inputs
- TinyMCE version, package manager and lockfile state, vendored/CDN assets, media plugin configuration, embed policy, sanitizer configuration, CSP, iframe sandboxing, and generated dependency reports.
- Source paths that configure TinyMCE media, accept rich media, store HTML, sanitize or render content, generate previews, exports, emails, PDFs, or mobile/webview content.
- Regression fixtures for benign media embeds,
data-mce-object,data-mce-p-*, untrusted object/embed markup, JavaScript URLs, event handlers, unsafe CSS, and stripped editor-internal attributes. - Boundary evidence: media authors, privileged viewers, tenant crossing, stored-content cleanup plan, content ownership, logs, and rollout owner.
Affected versions
- Vulnerable packages:
tinymce(npm),tinymce/tinymce(Composer), andTinyMCE(NuGet) - Vulnerable ranges:
<5.11.1,>=6.0.0, <7.9.3, and>=8.0.0, <8.5.1 - Fixed versions:
5.11.1LTS,7.9.3,8.5.1, or later on the selected release line - Affected plugin: TinyMCE media plugin
- Affected attribute family:
data-mce-objectanddata-mce-p-*
Indicator-of-exposure
- The repository depends on, vendors, bundles, CDN-pins, or deploys TinyMCE in an affected range.
- TinyMCE’s media plugin is enabled directly or through a preset/editor bundle.
- Users outside the trusted developer/operator group can submit or import rich media content, CMS pages, product descriptions, comments, tickets, marketing pages, help-center content, email templates, or admin notes.
- Stored TinyMCE content is rendered to other users through normal pages, previews, admin review screens, exports, emails, PDFs, mobile/webviews, or customer support tools.
- Server-side sanitization, CSP, iframe sandboxing, or render tests do not
cover TinyMCE internal
data-mce-objectanddata-mce-p-*attributes.
Quick checks:
rg -n "tinymce|TinyMCE|plugins:\\s*.*media|media_live_embeds|data-mce-object|data-mce-p-|extended_valid_elements|valid_elements|sanitize|DOMPurify|HtmlSanitizer|bleach|sanitize-html|wysiwyg|rich text" .
npm ls tinymce
pnpm why tinymce
yarn why tinymce
composer show tinymce/tinymce
dotnet list package | rg -i "tinymce"
rg -n "tinymce|TinyMCE|media|data-mce-object|data-mce-p-|extended_valid_elements|valid_elements" package.json package-lock.json pnpm-lock.yaml yarn.lock composer.json composer.lock *.csproj static public assets src app resources templates . 2>/dev/null
Windows:
rg -n "tinymce|TinyMCE|plugins:\\s*.*media|media_live_embeds|data-mce-object|data-mce-p-|extended_valid_elements|valid_elements|sanitize|DOMPurify|HtmlSanitizer|bleach|sanitize-html|wysiwyg|rich text" .
npm ls tinymce
pnpm why tinymce
yarn why tinymce
composer show tinymce/tinymce
dotnet list package | rg -i "tinymce"
rg -n "tinymce|TinyMCE|media|data-mce-object|data-mce-p-|extended_valid_elements|valid_elements" package.json package-lock.json pnpm-lock.yaml yarn.lock composer.json composer.lock *.csproj static public assets src app resources templates .
Do not publish exploit media HTML, open unsafe stored content in a privileged browser, paste payloads into production editors, or dump user-authored content into logs or commits.
Remediation strategy
- Upgrade every controlled TinyMCE package, vendored asset, CDN URL, lockfile,
SBOM, generated dependency report, and rendered deployment artifact to
5.11.1LTS,7.9.3+, or8.5.1+on the selected release line. - Prefer
8.5.1+for active 8.x deployments and7.9.3+for active 7.x deployments. Treat 6.x as needing a supported-line migration because the published fixed ranges are 5 LTS, 7.x, and 8.x. - Keep or add server-side HTML sanitization for stored media content. Strip
TinyMCE-internal
data-mce-objectanddata-mce-p-*attributes unless a narrowly reviewed trusted-author use case requires them. - Re-sanitize existing stored media content, or enforce on-read/on-render sanitization until a migration can safely clean old records.
- Add regression tests for media-plugin content that preserve benign embeds but
strip or neutralize scriptable
data-mce-object,data-mce-p-*, event handlers, JavaScript URLs, unsafe CSS, and SVG/script vectors before content reaches another user’s browser. - If CVE-2026-47759 is also in scope, combine validation and content cleanup so both TinyMCE attribute advisories are remediated in one reviewed upgrade path.
The prompt
You are remediating CVE-2026-47761 / GHSA-vg35-5wq7-3x7w, a TinyMCE media
plugin stored XSS issue involving `data-mce-object` and `data-mce-p-*`
attributes. Produce exactly one output:
- A reviewer-ready PR/change request that upgrades TinyMCE, preserves or adds
server-side sanitization for rich media, refreshes generated artifacts, adds
safe regression coverage, and documents stored-content cleanup, or
- TRIAGE.md if this repository does not control an affected TinyMCE runtime,
package, vendored asset, CDN pin, media plugin use, or rich-media rendering
surface.
## Rules
- Scope only CVE-2026-47761 / GHSA-vg35-5wq7-3x7w and directly related TinyMCE
media-plugin sanitization and rendering controls. If CVE-2026-47759 is
present, note the shared upgrade path without expanding into unrelated editor
changes.
- Treat stored rich text, media embeds, customer content, admin notes, email
bodies, CMS pages, session cookies, auth tokens, screenshots, exports, and
rendered previews as sensitive.
- Do not create exploit pages, execute JavaScript payloads, paste test XSS into
production editors, use privileged browsers for unsafe previews, or commit
customer-authored HTML.
- Do not remove server-side sanitizers, CSP, iframe isolation, content approval,
audit logs, or rich-media tests to make the upgrade pass.
- Do not auto-merge.
## Steps
1. Inventory every TinyMCE reference controlled by this repository: npm,
Composer, NuGet, lockfiles, vendored static assets, CDN URLs, package
managers, Docker images, CMS plugins, admin bundles, mobile/webview assets,
SBOMs, generated dependency reports, and docs that pin versions.
2. Determine every resolved TinyMCE version. A target is vulnerable if it
resolves to `<5.11.1`, `>=6.0.0, <7.9.3`, or `>=8.0.0, <8.5.1`.
3. Search for media-plugin usage and render paths:
`plugins: "media"`, media presets, `media_live_embeds`, embed importers,
CMS media blocks, comments, tickets, product descriptions, previews, exports,
emails, PDFs, mobile/webviews, `valid_elements`, `extended_valid_elements`,
`data-mce-object`, `data-mce-p-*`, sanitizer configuration, CSP, and iframe
sandboxing.
4. If the repository only contains documentation or an external vendor owns
TinyMCE, stop with `TRIAGE.md` listing checked files, runtime owner, and the
required fixed version.
5. Upgrade all controlled TinyMCE references:
- 5.x LTS deployments to `5.11.1+` when a commercial LTS path is available;
- 7.x deployments to `7.9.3+`;
- 8.x deployments to `8.5.1+`;
- 6.x deployments to a supported fixed line, normally `7.9.3+` or `8.5.1+`.
6. Refresh lockfiles, package-manager metadata, vendored assets, CDN hashes,
image digests, rendered deployment artifacts, SBOMs, dependency reports, and
release documentation.
7. Verify or patch stored-media sanitization:
- sanitize on the server before storage or before rendering;
- strip TinyMCE-internal `data-mce-object` and `data-mce-p-*` attributes for
untrusted authors;
- reject or neutralize JavaScript URLs, event handlers, unsafe CSS, SVG
script vectors, untrusted iframe/object/embed markup, and nested editor
internal attributes;
- ensure preview, export, email, PDF, and mobile/webview renderers use the
same sanitized content boundary as normal page views.
8. Add safe regression coverage without executing payloads:
- dependency policy rejects affected TinyMCE versions;
- benign media embeds still render;
- `data-mce-object` and `data-mce-p-*` are stripped or cannot execute;
- sanitizer output contains no scriptable URLs, event handlers, untrusted
object/embed markup, or unauthorized `data-mce-*` attributes;
- logs and test snapshots do not contain customer content or session data.
9. Add a PR body section named `CVE-2026-47761 operator actions` that states:
- TinyMCE versions before and after;
- whether the media plugin is enabled and where;
- every rich-media authoring and rendering surface checked;
- whether server-side sanitization was already present or added;
- whether existing stored media content must be re-sanitized, migrated, or
cleaned on read;
- whether CSP, iframe sandboxing, email/PDF renderers, or mobile/webview
clients need follow-up;
- which validation commands passed.
10. Run available validation: package install, lockfile integrity, frontend
tests, sanitizer unit tests, media render tests, lint/typecheck, browser
smoke tests, container build, SBOM refresh, and dependency/security scans.
11. Use PR title:
`fix(sec): remediate CVE-2026-47761 in TinyMCE media plugin`.
## Stop conditions
- No affected TinyMCE package, vendored asset, CDN pin, media plugin use, or
rich-media rendering surface is controlled by this repository.
- The TinyMCE runtime or CMS plugin is owned by another team or vendor; name
the owner and required fixed versions in `TRIAGE.md`.
- Moving from TinyMCE 6.x or unsupported 5.x requires a broader product
migration that cannot fit in this PR.
- Validating exposure would require publishing exploit HTML, using production
content, opening unsafe previews in a privileged browser, or exposing stored
customer data.
- Validation fails for unrelated pre-existing reasons; document those failures
instead of broadening scope.
Output contract
- A reviewer-ready PR or change request that upgrades TinyMCE, preserves or adds rich-media sanitizer coverage, adds safe media-plugin regression tests, refreshes generated artifacts, and documents stored-media cleanup.
- Or a
TRIAGE.mdfile that lists inspected packages/assets/config, owner, observed version, media-plugin use, rich-media render boundary, required fix, and residual risk. - The output must include exact validation commands and must not execute XSS payloads, publish exploit media HTML, expose customer-authored content, or remove sanitizer/CSP/iframe protections.
Verification - what the reviewer looks for
- No controlled npm, Composer, NuGet, vendored asset, CDN URL, image, SBOM, or
generated report resolves TinyMCE to
<5.11.1,>=6.0.0, <7.9.3, or>=8.0.0, <8.5.1. - Media-plugin rich-text render paths use patched TinyMCE assets and server-side sanitization or an equivalent trusted render boundary.
- Regression tests show
data-mce-objectanddata-mce-p-*are stripped, rejected, or rendered inert for untrusted authors. - Existing media content cleanup is either completed, safely handled on render, or explicitly tracked as an operator action.
- The PR avoids exploit execution and does not expose customer-authored HTML, cookies, tokens, screenshots, exports, or admin-only content.
Related recipes
- Source code injection sink audit
- Source code secrets and data exposure audit
- OWASP Top 10 2026 audit
- NIST SSDF repository evidence check
Watch for
- Updating npm while a CMS plugin, Composer package, NuGet package, vendored asset, CDN URL, or static bundle still serves an affected TinyMCE build.
- Fixing text editor screens while media previews, public pages, email, PDF export, or mobile/webview clients render older stored HTML.
- Leaving
extended_valid_elementsrules that preserve broaddata-mce-*, object/embed markup,style, or URL-bearing attributes for untrusted authors. - Assuming CVE-2026-47759 coverage automatically proves this media-plugin issue
is fixed; check
data-mce-objectanddata-mce-p-*explicitly. - Snapshot tests that commit real customer content or privileged rendered HTML.
References
- GitHub Advisory Database: https://github.com/advisories/GHSA-vg35-5wq7-3x7w
- TinyMCE 7.9.3 release notes: https://www.tiny.cloud/docs/tinymce/7/7.9.3-release-notes/#overview
- TinyMCE 8.5.1 release notes: https://www.tiny.cloud/docs/tinymce/8/8.5.1-release-notes/#overview
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-47761