CVE-2026-47760

描述

### Impact TinyMCE 6.8.x contains an XSS vulnerability caused by improper SVG namespace scope handling in the sanitizer. A crafted payload using nested <svg> elements can bypass attribute sanitization and execute arbitrary JavaScript. ### Patches This issue affects TinyMCE 6.8.x-7.0.x. The vulnerability is fixed in TinyMCE 7.1.0 and later. ### Workarounds No official workaround available. ### Acknowledgements Tiny thanks [maple3142](https://github.com/maple3142) (<https://maple3142.net>) of DEVCORE for their help identifying this vulnerability. ### References Fix introduced in TinyMCE 7.1.0 though a rewrite of code causing the vulnerability.

如何修補 CVE-2026-47760

要修補 CVE-2026-47760,請將受影響套件升級到下列已修補版本。

• —升級至 7.1.0 或更新版本
• —升級至 7.1.0 或更新版本
• —升級至 7.1.0 或更新版本

CVE-2026-47760 正在被利用嗎?

目前沒有被利用訊號。CVE-2026-47760 既不在 CISA KEV 也沒有最新的 EPSS 分數。

受影響套件(3)

• >= 6.8.0, < 7.1.0
• >= 6.8.0, < 7.1.0
• >= 6.8.0, < 7.1.0

CVSS 分數

參考連結(3)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-47760
• PATCHgithub.com/tinymce/tinymce
• WEBgithub.com/tinymce/tinymce/security/advisories/GHSA-mh5m-5hw4-5c69