VulnerableCode Package Details - pkg:npm/tinymce@4.9.7

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:npm/tinymce@4.9.7

Essentials
History (8)

purl	pkg:npm/tinymce@4.9.7

Next non-vulnerable version	5.6.0
Latest non-vulnerable version	7.2.0
Risk

Vulnerabilities affecting this package (5)

Vulnerability	Summary	Fixed by
VCID-9brg-dm6s-2ba7 Aliases: CVE-2024-21911 GHSA-w7jx-j77m-wp65 GMS-2021-193 GMS-2021-508 GMS-2021-616	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in tinymce.	5.6.0 Affected by 0 other vulnerabilities.
VCID-cz6w-pdan-rfa4 Aliases: GHSA-vrv8-v4w8-f95h GMS-2020-789	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in tinymce.	4.9.11 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 5.4.1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-e8m3-ecws-efeg Aliases: CVE-2019-1010091 GHSA-c78w-2gw7-gjv3	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') tinymce The impact is: JavaScript code execution. The component is: Media element. The attack vector is: The victim must paste malicious content to media element's embed tab.	4.9.10 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 5.2.2 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-qngh-qsty-nkhh Aliases: CVE-2020-12648	Cross-site Scripting A cross-site scripting (XSS) vulnerability in TinyMCE allows remote attackers to inject arbitrary web script when configured in classic editing mode.	4.9.11 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 5.4.1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-r9zu-cdb9-8ubc Aliases: GHSA-h96f-fc7c-9r55 GMS-2021-191	Regex denial of service vulnerability in codesample plugin A regex denial of service (ReDoS) vulnerability was discovered in a dependency of the `codesample` plugin.	5.6.0 Affected by 0 other vulnerabilities.

Vulnerabilities fixed by this package (2)

Vulnerability	Summary	Aliases
VCID-fj7n-xsd4-xycn	Duplicate Advisory: Cross-site scripting in TinyMCE ## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-27gm-ghr9-4v95. This link is maintained to preserve external references. ## Original Description TinyMCE before 4.9.7 and 5.x before 5.1.4 allows XSS in the core parser, the paste plugin, and the visualchars plugin by using the clipboard or APIs to insert content into the editor.	GHSA-p7j5-4mwm-hv86
VCID-yxpz-j48p-dydc	Cross-site Scripting TinyMCE allows XSS in the core parser, the paste plugin, and the visualchars plugin by using the clipboard or APIs to insert content into the editor.	CVE-2020-17480 GHSA-27gm-ghr9-4v95

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-04T20:43:03.429822+00:00	GitLab Importer	Affected by	VCID-r9zu-cdb9-8ubc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tinymce/GMS-2021-191.yml	38.6.0
2026-06-04T20:43:02.555925+00:00	GitLab Importer	Affected by	VCID-9brg-dm6s-2ba7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tinymce/GMS-2021-193.yml	38.6.0
2026-06-04T20:34:09.445186+00:00	GitLab Importer	Affected by	VCID-qngh-qsty-nkhh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tinymce/CVE-2020-12648.yml	38.6.0
2026-06-04T20:34:05.332513+00:00	GitLab Importer	Affected by	VCID-cz6w-pdan-rfa4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tinymce/GMS-2020-789.yml	38.6.0
2026-06-04T20:30:11.676098+00:00	GitLab Importer	Affected by	VCID-e8m3-ecws-efeg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tinymce/CVE-2019-1010091.yml	38.6.0
2026-06-04T17:36:33.438720+00:00	GithubOSV Importer	Fixing	VCID-fj7n-xsd4-xycn	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-p7j5-4mwm-hv86/GHSA-p7j5-4mwm-hv86.json	38.6.0
2026-06-04T17:23:17.820680+00:00	GithubOSV Importer	Fixing	VCID-yxpz-j48p-dydc	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/01/GHSA-27gm-ghr9-4v95/GHSA-27gm-ghr9-4v95.json	38.6.0
2026-06-04T16:20:09.909419+00:00	GitLab Importer	Fixing	VCID-yxpz-j48p-dydc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tinymce/CVE-2020-17480.yml	38.6.0