CVE-2026-47760

Description

TinyMCE is an open source rich text editor. From 6.8.0 to before 7.1.0, TinyMCE contains an XSS vulnerability caused by improper SVG namespace scope handling in the sanitizer. A crafted payload using nested elements can bypass attribute sanitization and execute arbitrary JavaScript. This vulnerability is fixed in 7.1.0.

References

• https://github.com/tinymce/tinymce/security/advisories/GHSA-mh5m-5hw4-5c69