php · tinymceCritical

TinyMCE Stored XSS via data-mce-* Attributes

Stored XSS vulnerability via unsanitized data-mce-* attributes (data-mce-href, data-mce-src, data-mce-style).

09 Jun 2026Read 1 minSeverity: act now

What changed

Stored XSS vulnerability via unsanitized data-mce-* attributes (data-mce-href, data-mce-src, data-mce-style). Allows attackers to inject malicious values that override safe attributes during serialization, bypassing validation.

Who it affects

Users of TinyMCE 5.x, 7.x, and 8.x before patched versions.

What to do today

Upgrade to TinyMCE 8.5.1 or higher, 7.9.3 or higher, or 5.11.1 LTS or higher.

The trail

Collected→ Audited→ Written→ Published

Source

GitHub Advisory · tinymce

TinyMCE Stored XSS via data-mce-* Attributes

What changed

Who it affects

What to do today

More on tinymce

symfony/runtime: Incomplete CVE-2024-50340 fix allows argv injection via web SAPI

pheditor: OS Command Injection in Terminal Handler