dotnet · tinymceCritical

TinyMCE Stored XSS via data-mce-* attributes

Stored XSS vulnerability via unsanitized data-mce-* attributes (data-mce-href, data-mce-src, data-mce-style).

09 Jun 2026Read 1 minSeverity: act now

What changed

Stored XSS vulnerability via unsanitized data-mce-* attributes (data-mce-href, data-mce-src, data-mce-style). Allows attackers to inject malicious values that override safe attributes during serialization, bypassing validation.

Who it affects

Users of TinyMCE versions prior to 5.11.1 LTS, 7.9.3, and 8.5.1.

What to do today

Upgrade to TinyMCE 8.5.1 or higher, 7.9.3 or higher, or 5.11.1 LTS or higher.

The trail

Collected→ Audited→ Written→ Published

Source

GitHub Advisory · tinymce

TinyMCE Stored XSS via data-mce-* attributes

What changed

Who it affects

What to do today

More on tinymce

.NET 11 Preview 5 Released with New Features

dotnet/runtime v8.0.28: WebSocket fix, JIT fix, CRL cache, QUIC update