Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:composer/tinymce/tinymce@5.1.1
Typecomposer
Namespacetinymce
Nametinymce
Version5.1.1
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version5.10.7
Latest_non_vulnerable_version7.2.0
Affected_by_vulnerabilities
0
url VCID-1eut-y5qx-dkhu
vulnerability_id VCID-1eut-y5qx-dkhu
summary Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in tinymce.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-21908
reference_id
reference_type
scores
0
value 0.00517
scoring_system epss
scoring_elements 0.67093
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-21908
1
reference_url https://github.com/tinymce/tinymce
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/tinymce/tinymce
2
reference_url https://www.tiny.cloud/docs/release-notes/release-notes59/#securityfixes
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-08T17:08:03Z/
url https://www.tiny.cloud/docs/release-notes/release-notes59/#securityfixes
3
reference_url https://github.com/advisories/GHSA-5h9g-x5rv-25wg
reference_id GHSA-5h9g-x5rv-25wg
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-08T17:08:03Z/
url https://github.com/advisories/GHSA-5h9g-x5rv-25wg
4
reference_url https://github.com/tinymce/tinymce/security/advisories/GHSA-5h9g-x5rv-25wg
reference_id GHSA-5h9g-x5rv-25wg
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-08T17:08:03Z/
url https://github.com/tinymce/tinymce/security/advisories/GHSA-5h9g-x5rv-25wg
fixed_packages
0
url pkg:composer/tinymce/tinymce@5.9.0
purl pkg:composer/tinymce/tinymce@5.9.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-rh8y-q2vc-q7ba
1
vulnerability VCID-vyvk-n5gm-1uc8
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/tinymce/tinymce@5.9.0
aliases CVE-2024-21908, GHSA-5h9g-x5rv-25wg, GMS-2021-132, GMS-2021-163, GMS-2021-189
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1eut-y5qx-dkhu
1
url VCID-9brg-dm6s-2ba7
vulnerability_id VCID-9brg-dm6s-2ba7
summary Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in tinymce.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-21911
reference_id
reference_type
scores
0
value 0.01446
scoring_system epss
scoring_elements 0.81122
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-21911
1
reference_url https://www.npmjs.com/package/tinymce
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-16T19:26:37Z/
url https://www.npmjs.com/package/tinymce
2
reference_url https://www.tiny.cloud/docs/release-notes/release-notes56/#securityfixes
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-16T19:26:37Z/
url https://www.tiny.cloud/docs/release-notes/release-notes56/#securityfixes
3
reference_url https://github.com/advisories/GHSA-w7jx-j77m-wp65
reference_id GHSA-w7jx-j77m-wp65
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-16T19:26:37Z/
url https://github.com/advisories/GHSA-w7jx-j77m-wp65
4
reference_url https://github.com/tinymce/tinymce/security/advisories/GHSA-w7jx-j77m-wp65
reference_id GHSA-w7jx-j77m-wp65
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-16T19:26:37Z/
url https://github.com/tinymce/tinymce/security/advisories/GHSA-w7jx-j77m-wp65
fixed_packages
0
url pkg:composer/tinymce/tinymce@5.6.0
purl pkg:composer/tinymce/tinymce@5.6.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1eut-y5qx-dkhu
1
vulnerability VCID-rh8y-q2vc-q7ba
2
vulnerability VCID-vyvk-n5gm-1uc8
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/tinymce/tinymce@5.6.0
aliases CVE-2024-21911, GHSA-w7jx-j77m-wp65, GMS-2021-193, GMS-2021-508, GMS-2021-616
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9brg-dm6s-2ba7
2
url VCID-qngh-qsty-nkhh
vulnerability_id VCID-qngh-qsty-nkhh
summary 
Cross-site Scripting
A cross-site scripting (XSS) vulnerability in TinyMCE allows remote attackers to inject arbitrary web script when configured in classic editing mode.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-12648
reference_id
reference_type
scores
0
value 0.00283
scoring_system epss
scoring_elements 0.51975
published_at 2026-06-04T12:55:00Z
1
value 0.00283
scoring_system epss
scoring_elements 0.52036
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-12648
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-12648
reference_id CVE-2020-12648
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2020-12648
fixed_packages
0
url pkg:composer/tinymce/tinymce@5.4.1
purl pkg:composer/tinymce/tinymce@5.4.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1eut-y5qx-dkhu
1
vulnerability VCID-9brg-dm6s-2ba7
2
vulnerability VCID-rh8y-q2vc-q7ba
3
vulnerability VCID-vyvk-n5gm-1uc8
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/tinymce/tinymce@5.4.1
aliases CVE-2020-12648
risk_score null
exploitability 0.5
weighted_severity 0.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qngh-qsty-nkhh
3
url VCID-rh8y-q2vc-q7ba
vulnerability_id VCID-rh8y-q2vc-q7ba
summary 
Cross-site scripting vulnerability in TinyMCE alerts
### Impact
A cross-site scripting (XSS) vulnerability was discovered in the alert and confirm dialogs when these dialogs were provided with malicious HTML content. This can occur in plugins that use the alert or confirm dialogs, such as in the `image` plugin, which presents these dialogs when certain errors occur. The vulnerability allowed arbitrary JavaScript execution when an alert presented in the TinyMCE UI for the current user.

### Patches
This vulnerability has been patched in TinyMCE 5.10.7 and TinyMCE 6.3.1 by ensuring HTML sanitization was still performed after unwrapping invalid elements.

### Fix
To avoid this vulnerability:
- Upgrade to TinyMCE 5.10.7 or higher for TinyMCE 5.x.
- Upgrade to TinyMCE 6.3.1 or higher for TinyMCE 6.x.

### Workaround
To reduce the impact of this vulnerability:
- Ensure the the `images_upload_handler` returns a valid value as per the images_upload_handler documentation.

### References
- https://www.tiny.cloud/docs/release-notes/release-notes5107/#securityfixes
- https://www.tiny.cloud/docs/tinymce/6/6.3-release-notes/#security-fixes

### For more information
If you have any questions or comments about this advisory:
* Email us at [infosec@tiny.cloud](mailto:infosec@tiny.cloud)
* Open an issue in the [TinyMCE repo](https://github.com/tinymce/tinymce/issues)
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-23494
reference_id
reference_type
scores
0
value 0.01514
scoring_system epss
scoring_elements 0.81574
published_at 2026-06-05T12:55:00Z
1
value 0.01514
scoring_system epss
scoring_elements 0.81546
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-23494
1
reference_url https://github.com/tinymce/tinymce
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/tinymce/tinymce
2
reference_url https://github.com/tinymce/tinymce/commit/6923d85eba6de3e08ebc9c5a387b5abdaa21150e
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/tinymce/tinymce/commit/6923d85eba6de3e08ebc9c5a387b5abdaa21150e
3
reference_url https://github.com/tinymce/tinymce/commit/8bb2d2646d4e1a718fce61a775fa22e9d317b32d
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/tinymce/tinymce/commit/8bb2d2646d4e1a718fce61a775fa22e9d317b32d
4
reference_url https://github.com/tinymce/tinymce/security/advisories/GHSA-gg8r-xjwq-4w92
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/tinymce/tinymce/security/advisories/GHSA-gg8r-xjwq-4w92
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-23494
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-23494
6
reference_url https://www.tiny.cloud/docs/release-notes/release-notes5107/#securityfixes
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.tiny.cloud/docs/release-notes/release-notes5107/#securityfixes
7
reference_url https://www.tiny.cloud/docs/tinymce/6/6.3-release-notes/#security-fixes
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.tiny.cloud/docs/tinymce/6/6.3-release-notes/#security-fixes
8
reference_url https://www.tiny.cloud/docs/tinymce/6/file-image-upload/#images_upload_handler
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.tiny.cloud/docs/tinymce/6/file-image-upload/#images_upload_handler
9
reference_url https://github.com/advisories/GHSA-gg8r-xjwq-4w92
reference_id GHSA-gg8r-xjwq-4w92
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-gg8r-xjwq-4w92
fixed_packages
0
url pkg:composer/tinymce/tinymce@5.10.7
purl pkg:composer/tinymce/tinymce@5.10.7
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/tinymce/tinymce@5.10.7
1
url pkg:composer/tinymce/tinymce@6.3.1
purl pkg:composer/tinymce/tinymce@6.3.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/tinymce/tinymce@6.3.1
aliases CVE-2022-23494, GHSA-gg8r-xjwq-4w92
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rh8y-q2vc-q7ba
4
url VCID-vyvk-n5gm-1uc8
vulnerability_id VCID-vyvk-n5gm-1uc8
summary Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in TinyMCE.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-21910
reference_id
reference_type
scores
0
value 0.04084
scoring_system epss
scoring_elements 0.88783
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-21910
1
reference_url https://github.com/jazzband/django-tinymce/issues/366
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-01-09T20:43:59Z/
url https://github.com/jazzband/django-tinymce/issues/366
2
reference_url https://github.com/jazzband/django-tinymce/releases/tag/3.4.0
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-01-09T20:43:59Z/
url https://github.com/jazzband/django-tinymce/releases/tag/3.4.0
3
reference_url https://github.com/tinymce/tinymce
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/tinymce/tinymce
4
reference_url https://pypi.org/project/django-tinymce/3.4.0
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://pypi.org/project/django-tinymce/3.4.0
5
reference_url https://pypi.org/project/django-tinymce/3.4.0/
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-01-09T20:43:59Z/
url https://pypi.org/project/django-tinymce/3.4.0/
6
reference_url https://github.com/advisories/GHSA-r8hm-w5f7-wj39
reference_id GHSA-r8hm-w5f7-wj39
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-01-09T20:43:59Z/
url https://github.com/advisories/GHSA-r8hm-w5f7-wj39
7
reference_url https://github.com/tinymce/tinymce/security/advisories/GHSA-r8hm-w5f7-wj39
reference_id GHSA-r8hm-w5f7-wj39
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-01-09T20:43:59Z/
url https://github.com/tinymce/tinymce/security/advisories/GHSA-r8hm-w5f7-wj39
fixed_packages
0
url pkg:composer/tinymce/tinymce@5.10.0
purl pkg:composer/tinymce/tinymce@5.10.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-rh8y-q2vc-q7ba
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/tinymce/tinymce@5.10.0
aliases CVE-2024-21910, GHSA-r8hm-w5f7-wj39, GMS-2021-133, GMS-2021-164, GMS-2021-192, GMS-2021-8
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vyvk-n5gm-1uc8
5
url VCID-yxpz-j48p-dydc
vulnerability_id VCID-yxpz-j48p-dydc
summary 
Cross-site Scripting
TinyMCE allows XSS in the core parser, the paste plugin, and the visualchars plugin by using the clipboard or APIs to insert content into the editor.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-17480
reference_id
reference_type
scores
0
value 0.00553
scoring_system epss
scoring_elements 0.68427
published_at 2026-06-04T12:55:00Z
1
value 0.00553
scoring_system epss
scoring_elements 0.68468
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-17480
1
reference_url https://github.com/tinymce/tinymce
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/tinymce/tinymce
2
reference_url https://github.com/tinymce/tinymce/security/advisories/GHSA-27gm-ghr9-4v95
reference_id
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/tinymce/tinymce/security/advisories/GHSA-27gm-ghr9-4v95
3
reference_url https://portswigger.net/daily-swig/xss-vulnerability-patched-in-tinymce
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://portswigger.net/daily-swig/xss-vulnerability-patched-in-tinymce
4
reference_url https://www.tiny.cloud/docs/release-notes/release-notes514/#securityfixes
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.tiny.cloud/docs/release-notes/release-notes514/#securityfixes
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-17480
reference_id CVE-2020-17480
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-17480
6
reference_url https://github.com/advisories/GHSA-27gm-ghr9-4v95
reference_id GHSA-27gm-ghr9-4v95
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-27gm-ghr9-4v95
fixed_packages
0
url pkg:composer/tinymce/tinymce@5.1.4
purl pkg:composer/tinymce/tinymce@5.1.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1eut-y5qx-dkhu
1
vulnerability VCID-9brg-dm6s-2ba7
2
vulnerability VCID-qngh-qsty-nkhh
3
vulnerability VCID-rh8y-q2vc-q7ba
4
vulnerability VCID-vyvk-n5gm-1uc8
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/tinymce/tinymce@5.1.4
aliases CVE-2020-17480, GHSA-27gm-ghr9-4v95
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-yxpz-j48p-dydc
Fixing_vulnerabilities
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:composer/tinymce/tinymce@5.1.1