VulnerableCode Package Details - pkg:composer/tinymce/tinymce@4.9.1

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:composer/tinymce/tinymce@4.9.1

Essentials
History (5)

purl	pkg:composer/tinymce/tinymce@4.9.1

Next non-vulnerable version	5.10.0
Latest non-vulnerable version	7.2.0
Risk	4.0

Vulnerabilities affecting this package (5)

Vulnerability	Summary	Fixed by
VCID-1eut-y5qx-dkhu Aliases: CVE-2024-21908 GHSA-5h9g-x5rv-25wg GMS-2021-132 GMS-2021-163 GMS-2021-189	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in tinymce.	5.9.0 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-9brg-dm6s-2ba7 Aliases: CVE-2024-21911 GHSA-w7jx-j77m-wp65 GMS-2021-193 GMS-2021-508 GMS-2021-616	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in tinymce.	5.6.0 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-qngh-qsty-nkhh Aliases: CVE-2020-12648	Cross-site Scripting A cross-site scripting (XSS) vulnerability in TinyMCE allows remote attackers to inject arbitrary web script when configured in classic editing mode.	4.9.11 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 5.4.1 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-vyvk-n5gm-1uc8 Aliases: CVE-2024-21910 GHSA-r8hm-w5f7-wj39 GMS-2021-133 GMS-2021-164 GMS-2021-192 GMS-2021-8	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in TinyMCE.	5.10.0 Affected by 0 other vulnerabilities.
VCID-yxpz-j48p-dydc Aliases: CVE-2020-17480 GHSA-27gm-ghr9-4v95	Cross-site Scripting TinyMCE allows XSS in the core parser, the paste plugin, and the visualchars plugin by using the clipboard or APIs to insert content into the editor.	4.9.7 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 5.1.4 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T01:04:43.113402+00:00	GitLab Importer	Affected by	VCID-vyvk-n5gm-1uc8	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/tinymce/tinymce/GMS-2021-133.yml	38.6.0
2026-06-06T01:03:44.737988+00:00	GitLab Importer	Affected by	VCID-1eut-y5qx-dkhu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/tinymce/tinymce/GMS-2021-132.yml	38.6.0
2026-06-04T20:43:05.510947+00:00	GitLab Importer	Affected by	VCID-9brg-dm6s-2ba7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/tinymce/tinymce/GMS-2021-508.yml	38.6.0
2026-06-04T20:34:08.361757+00:00	GitLab Importer	Affected by	VCID-qngh-qsty-nkhh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/tinymce/tinymce/CVE-2020-12648.yml	38.6.0
2026-06-04T20:34:01.831924+00:00	GitLab Importer	Affected by	VCID-yxpz-j48p-dydc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/tinymce/tinymce/CVE-2020-17480.yml	38.6.0