HomeCVE Intelligence › CVE-2026-47760
CVSS 8.7 HIGH Vulnerability

CVE-2026-47760: TinyMCE Cross-Site Scripting (XSS) vulnerability using sanitization bypass through nested…

Impact TinyMCE 6.8.x contains an XSS vulnerability caused by improper SVG namespace scope handling in the sanitizer. A crafted payload using nested elements can bypass attribute sanitization and execute arbitrary JavaSc…

8.7CVSS Score
HIGHSeverity
NOCISA KEV
VulnerabilityImpact Type

📋 Vulnerability Details

CVE IDCVE-2026-47760
Vendornpm
Affected Producttinymce
Vulnerability TypeVulnerability
CVSS Score8.7 (HIGH)
Actively Exploited❌ No known exploitation
Patch StatusSee Vendor Advisory →
Reported ByCYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

#

Impact

TinyMCE 6.8.x contains an XSS vulnerability caused by improper SVG namespace scope handling in the sanitizer. A crafted payload using nested elements can bypass attribute sanitization and execute arbitrary JavaScript.

Patches

This issue affects TinyMCE 6.8.x-7.0.x. The vulnerability is fixed in TinyMCE 7.1.0 and later.

Workarounds

No official workaround available.

Acknowledgements

Tiny thanks [maple3142](https://github.com/maple3142) ( ) of DEVCORE for their help identifying this vulnerability.

References

Fix introduced in TinyMCE 7.1.0 though a rewrite of code causing the vulnerability.

🎯 Known Indicators of Compromise

{"type":"url","value":"https://github.com/maple3142)","confidence_score":0.82,"first_seen":"2026-06-05","source_count":1}

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-47760 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries
🛡️ Get Detection Pack → 🔌 Access via API →

🔗 Related Intelligence