CVE-2026-47760
TinyMCE Cross-Site Scripting (XSS) vulnerability using sanitization bypass through nested SVGs
Description
### Impact TinyMCE 6.8.x contains an XSS vulnerability caused by improper SVG namespace scope handling in the sanitizer. A crafted payload using nested <svg> elements can bypass attribute sanitization and execute arbitrary JavaScript. ### Patches This issue affects TinyMCE 6.8.x-7.0.x. The vulnerability is fixed in TinyMCE 7.1.0 and later. ### Workarounds No official workaround available. ### Acknowledgements Tiny thanks [maple3142](https://github.com/maple3142) (<https://maple3142.net>) of DEVCORE for their help identifying this vulnerability. ### References Fix introduced in TinyMCE 7.1.0 though a rewrite of code causing the vulnerability.
How to fix CVE-2026-47760
To remediate CVE-2026-47760, upgrade the affected package to a fixed version below.
- —upgrade to 7.1.0 or later
- —upgrade to 7.1.0 or later
- —upgrade to 7.1.0 or later
Is CVE-2026-47760 being exploited?
No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-47760.
Affected packages (3)
- >= 6.8.0, < 7.1.0
- >= 6.8.0, < 7.1.0
- >= 6.8.0, < 7.1.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.7 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N |