pkg:npm/tinymce

All known vulnerabilities

• HIGH8.7CVE-2026-47761TinyMCE Cross-Site Scripting (XSS) vulnerability using media plugin `data-mce-object` injection
  from 0
• HIGH8.7CVE-2026-47762TinyMCE Cross-Site Scripting (XSS) vulnerability through `mce:protected` comments
  from 0
• HIGH8.7CVE-2026-47759TinyMCE Cross-Site Scripting (XSS) vulnerability using through data-mce- prefixed src, href, style attributes
  from 0
• HIGH8.7TinyMCE Cross-Site Scripting (XSS) vulnerability using sanitization bypass through nested SVGs
  >= 6.8.0, < 7.1.0
• MEDIUM6.1TinyMCE Cross-Site Scripting (XSS) vulnerability using noneditable_regexp option
  from 0, < 5.11.0
• MEDIUM6.1TinyMCE Cross-Site Scripting (XSS) vulnerability using noscript elements
  from 0, < 5.11.0
• MEDIUM6.1TinyMCE vulnerable to mutation Cross-site Scripting via special characters in unescaped text nodes
  from 0, < 5.10.9
• MEDIUM6.1TinyMCE XSS vulnerability in notificationManager.open API
  >= 6.0.0, < 6.7.1
• MEDIUM6.1TinyMCE mXSS vulnerability in undo/redo, getContent API, resetContent API, and Autosave plugin
  >= 6.0.0, < 6.7.1
• MEDIUM6.1Cross-site scripting vulnerability in TinyMCE plugins
  from 0, < 5.10.0
• MEDIUM6.1Cross-site scripting vulnerability in TinyMCE
  from 0, < 5.9.0
• MEDIUM6.1Cross-site scripting vulnerability in TinyMCE
  from 0, < 4.9.11
• MEDIUM5.4Cross-site scripting vulnerability in TinyMCE alerts
  >= 6.0.0, < 6.3.1
• MEDIUM4.3TinyMCE Cross-Site Scripting (XSS) vulnerability in handling iframes
  from 0, < 6.8.1
• MEDIUM4.3TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements
  from 0, < 7.0.0
• —Cross-site scripting vulnerability in TinyMCE
  from 0, < 5.6.0
• —XSS in TinyMCE
  from 0, < 4.9.10
• —Cross-site scripting vulnerability in TinyMCE
  from 0, < 4.9.7