CVE-2026-47762

Description

### Impact Stored XSS vulnerability via forged mce:protected comments. Allows attackers to bypass sanitization and inject scripts that execute when content is restored. Impacts users who utilize the protect option. ### Patches Patched by validating decoded mce:protected content against configured protect regex rules before restoring. Users should upgrade to the latest patched version. ### Workarounds No official workaround available. ### Fix To avoid this vulnerability: Upgrade to TinyMCE 8.5.1 or higher. Upgrade to TinyMCE 7.9.3 or higher. Upgrade to TinyMCE 5.11.1 LTS or higher for TinyMCE 5.x (only available as part of commercial [long-term support](https://www.tiny.cloud/long-term-support/) contract). ### Acknowledgements Tiny thanks [Ivan Babenko](https://github.com/he1d3n) for their help identifying this vulnerability.

How to fix CVE-2026-47762

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

• —no fix listed
• —no fix listed
• —no fix listed

Is CVE-2026-47762 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-47762.

Affected packages (3)

• from 0
• from 0
• from 0

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-47762
• PATCHgithub.com/tinymce/tinymce
• WEBgithub.com/tinymce/tinymce/security/advisories/GHSA-v98h-vmpc-fpqv
• WEBwww.tiny.cloud/docs/tinymce/7/7.9.3-release-notes/#overview