js · tinymceCritical

TinyMCE Stored XSS via Unsanitized data-mce-* Attributes

Stored XSS vulnerability via unsanitized data-mce-* attributes (data-mce-href, data-mce-src, data-mce-style).

09 Jun 2026Read 1 minSeverity: act now

What changed

Stored XSS vulnerability via unsanitized data-mce-* attributes (data-mce-href, data-mce-src, data-mce-style). Attackers can inject malicious values that override safe attributes during serialization, bypassing validation.

Who it affects

All users of TinyMCE versions prior to 5.11.1 LTS, 7.9.3, and 8.5.1.

What to do today

Upgrade to TinyMCE 8.5.1 or higher, 7.9.3 or higher, or 5.11.1 LTS or higher.

The trail

Collected→ Audited→ Written→ Published

Source

GitHub Advisory · tinymce

TinyMCE Stored XSS via Unsanitized data-mce-* Attributes

What changed

Who it affects

What to do today

More on tinymce

Vue 3.5.35 Patch Release

Vite 8.0.15 released