Nixpkgs security tracker
Untriaged
Permalink
CVE-2026-47762
8.7 HIGH
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): Low (L)
- User Interaction (UI): Required (R)
- Scope (S): Changed (C)
- Confidentiality (C): High (H)
- Integrity (I): High (H)
- Availability (A): None (N)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): Low (L)
- Modified User Interaction (MUI): Required (R)
- Modified Confidentiality (MC): High (H)
- Modified Scope (MS): Changed (C)
- Modified Integrity (MI): High (H)
- Modified Availability (MA): None (N)
Activity log
- Created suggestion
TinyMCE Cross-Site Scripting (XSS) vulnerability through `mce:protected` comments
TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via forged mce:protected comments. Allows attackers to bypass sanitization and inject scripts that execute when content is restored. Impacts users who utilize the protect option. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1.
References
-
https://github.com/tinymce/tinymce/security/advisories/GHSA-v98h-vmpc-fpqv x_refsource_CONFIRM
-
https://www.tiny.cloud/docs/tinymce/7/7.9.3-release-notes/#overview x_refsource_MISC
-
https://www.tiny.cloud/docs/tinymce/8/8.5.1-release-notes/#overview x_refsource_MISC
Affected products
tinymce
- ==< 5.11.1
- ==>= 6.0.0, <= 6.8.6
- ==>= 7.0.0, < 7.9.3
- ==>= 8.0.0, < 8.5.1
Matching in nixpkgs
pkgs.python312Packages.django-tinymce
Django application that contains a widget to render a form field as a TinyMCE editor
pkgs.python313Packages.django-tinymce
Django application that contains a widget to render a form field as a TinyMCE editor
pkgs.python314Packages.django-tinymce
Django application that contains a widget to render a form field as a TinyMCE editor
Package maintainers
-
@onny Jonas Heinrich <onny@project-insanity.org>