CVE-2026-47759

描述

### Impact Stored XSS vulnerability via unsanitized data-mce-* attributes (data-mce-href, data-mce-src, data-mce-style). Allows attackers to inject malicious values that override safe attributes during serialization, bypassing validation. ### Patches Patched by stripping unsafe data-mce-* attributes during parsing. Users should upgrade to the latest patched versions (5 LTS, 7.x, 8.x). ### Workarounds No official workaround available. ### Fix To avoid this vulnerability: Upgrade to TinyMCE 8.5.1 or higher. Upgrade to TinyMCE 7.9.3 or higher. Upgrade to TinyMCE 5.11.1 LTS or higher for TinyMCE 5.x (only available as part of commercial [long-term support](https://www.tiny.cloud/long-term-support/) contract). ### Acknowledgements Tiny thanks [Tadi Kadango](https://github.com/mtrill47) ([website](https://tadiwakadango.com/)) and [Ivan Babenko](https://github.com/he1d3n) for their help identifying this vulnerability.

如何修補 CVE-2026-47759

要修補 CVE-2026-47759,請將受影響套件升級到下列已修補版本。

• —未列出修補版本
• —升級至 5.11.1 或更新版本
• —未列出修補版本

CVE-2026-47759 正在被利用嗎?

目前沒有被利用訊號。CVE-2026-47759 既不在 CISA KEV 也沒有最新的 EPSS 分數。

受影響套件(3)

• from 0
• from 0, < 5.11.1
• from 0

CVSS 分數

參考連結(5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-47759
• PATCHgithub.com/tinymce/tinymce
• WEBgithub.com/tinymce/tinymce/security/advisories/GHSA-q742-qvgc-gc2f
• WEBwww.tiny.cloud/docs/tinymce/7/7.9.3-release-notes/#overview