{"url":"http://public2.vulnerablecode.io/api/packages/453769?format=json","purl":"pkg:composer/tinymce/tinymce@4.8.4","type":"composer","namespace":"tinymce","name":"tinymce","version":"4.8.4","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"5.10.9","latest_non_vulnerable_version":"7.2.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40599?format=json","vulnerability_id":"VCID-4fk4-945r-mucj","summary":"Cross-site scripting vulnerability in TinyMCE\n### Impact\nA cross-site scripting (XSS) vulnerability was discovered in: the core parser, `paste` and `visualchars` plugins. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor via the clipboard or APIs. This impacts all users who are using TinyMCE 4.9.6 or lower and TinyMCE 5.1.3 or lower.\n\n### Patches\nThis vulnerability has been patched in TinyMCE 4.9.7 and 5.1.4 by improved parser logic and HTML sanitization.\n\n### Workarounds\nThe workarounds available are:\n- disable the impacted plugins\n- manually sanitize the content using the `BeforeSetContent` event (see below)\n- upgrade to either TinyMCE 4.9.7 or TinyMCE 5.1.4\n\n#### Example: Manually sanitize content\n```js\neditor.on('BeforeSetContent', function(e) {\n  var sanitizedContent = ...; // Manually sanitize content here\n  e.content = sanitizedContent;\n});\n```\n\n### Acknowledgements\nTiny Technologies would like to thank Michał Bentkowski for discovering this vulnerability.\n\n### References\nhttps://www.tiny.cloud/docs/release-notes/release-notes514/#securityfixes\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in the [TinyMCE repo](https://github.com/tinymce/tinymce/issues)\n* Email us at [infosec@tiny.cloud](mailto:infosec@tiny.cloud)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-17480","reference_id":"","reference_type":"","scores":[{"value":"0.00553","scoring_system":"epss","scoring_elements":"0.68363","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-17480"},{"reference_url":"https://github.com/tinymce/tinymce","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/tinymce/tinymce"},{"reference_url":"https://github.com/tinymce/tinymce/security/advisories/GHSA-27gm-ghr9-4v95","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/tinymce/tinymce/security/advisories/GHSA-27gm-ghr9-4v95"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-17480","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-17480"},{"reference_url":"https://portswigger.net/daily-swig/xss-vulnerability-patched-in-tinymce","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://portswigger.net/daily-swig/xss-vulnerability-patched-in-tinymce"},{"reference_url":"https://www.tiny.cloud/docs/release-notes/release-notes514/#securityfixes","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.tiny.cloud/docs/release-notes/release-notes514/#securityfixes"},{"reference_url":"https://github.com/advisories/GHSA-27gm-ghr9-4v95","reference_id":"GHSA-27gm-ghr9-4v95","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-27gm-ghr9-4v95"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/453778?format=json","purl":"pkg:composer/tinymce/tinymce@4.9.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-acey-2rby-93ec"},{"vulnerability":"VCID-ahcw-dq3p-3ubq"},{"vulnerability":"VCID-fars-7p1j-uygy"},{"vulnerability":"VCID-g5d5-gpmn-67eu"},{"vulnerability":"VCID-kbnj-qkmq-pfbu"},{"vulnerability":"VCID-nkuw-ayka-wkcc"},{"vulnerability":"VCID-png3-86at-ebdz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/tinymce/tinymce@4.9.7"},{"url":"http://public2.vulnerablecode.io/api/packages/453800?format=json","purl":"pkg:composer/tinymce/tinymce@5.1.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-acey-2rby-93ec"},{"vulnerability":"VCID-ahcw-dq3p-3ubq"},{"vulnerability":"VCID-fars-7p1j-uygy"},{"vulnerability":"VCID-g5d5-gpmn-67eu"},{"vulnerability":"VCID-kbnj-qkmq-pfbu"},{"vulnerability":"VCID-nkuw-ayka-wkcc"},{"vulnerability":"VCID-png3-86at-ebdz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/tinymce/tinymce@5.1.4"}],"aliases":["CVE-2020-17480","GHSA-27gm-ghr9-4v95"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4fk4-945r-mucj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/44460?format=json","vulnerability_id":"VCID-acey-2rby-93ec","summary":"Cross-site scripting vulnerability in TinyMCE plugins\n### Impact\nA cross-site scripting (XSS) vulnerability was discovered in the URL processing logic of the `image` and `link` plugins. The vulnerability allowed arbitrary JavaScript execution when updating an image or link using a specially crafted URL. This issue only impacted users while editing and the dangerous URLs were stripped in any content extracted from the editor. This impacts all users who are using TinyMCE 5.9.2 or lower.\n\n### Patches\nThis vulnerability has been patched in TinyMCE 5.10.0 by improved sanitization logic when updating URLs in the relevant plugins.\n\n### Workarounds\nTo work around this vulnerability, either:\n- Upgrade to TinyMCE 5.10.0 or higher\n- Disable the `image` and `link` plugins\n\n### Acknowledgements\nTiny Technologies would like to thank Yakir6 for discovering this vulnerability.\n\n### References\nhttps://www.tiny.cloud/docs/release-notes/release-notes510/#securityfixes\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [infosec@tiny.cloud](mailto:infosec@tiny.cloud)\n* Open an issue in the [TinyMCE repo](https://github.com/tinymce/tinymce/issues)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-21910","reference_id":"","reference_type":"","scores":[{"value":"0.04084","scoring_system":"epss","scoring_elements":"0.88751","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-21910"},{"reference_url":"https://github.com/jazzband/django-tinymce/issues/366","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-01-09T20:43:59Z/"}],"url":"https://github.com/jazzband/django-tinymce/issues/366"},{"reference_url":"https://github.com/jazzband/django-tinymce/releases/tag/3.4.0","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-01-09T20:43:59Z/"}],"url":"https://github.com/jazzband/django-tinymce/releases/tag/3.4.0"},{"reference_url":"https://github.com/tinymce/tinymce","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/tinymce/tinymce"},{"reference_url":"https://github.com/tinymce/tinymce/security/advisories/GHSA-r8hm-w5f7-wj39","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-01-09T20:43:59Z/"}],"url":"https://github.com/tinymce/tinymce/security/advisories/GHSA-r8hm-w5f7-wj39"},{"reference_url":"https://pypi.org/project/django-tinymce/3.4.0","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://pypi.org/project/django-tinymce/3.4.0"},{"reference_url":"https://pypi.org/project/django-tinymce/3.4.0/","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-01-09T20:43:59Z/"}],"url":"https://pypi.org/project/django-tinymce/3.4.0/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/78266?format=json","purl":"pkg:composer/tinymce/tinymce@5.10.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ahcw-dq3p-3ubq"},{"vulnerability":"VCID-fars-7p1j-uygy"},{"vulnerability":"VCID-nkuw-ayka-wkcc"},{"vulnerability":"VCID-png3-86at-ebdz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/tinymce/tinymce@5.10.0"}],"aliases":["CVE-2024-21910","GHSA-r8hm-w5f7-wj39","GMS-2021-133","GMS-2021-164","GMS-2021-192","GMS-2021-8"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-acey-2rby-93ec"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35140?format=json","vulnerability_id":"VCID-ahcw-dq3p-3ubq","summary":"TinyMCE mXSS vulnerability in undo/redo, getContent API, resetContent API, and Autosave plugin\n### Impact\nA [mutation cross-site scripting](https://researchgate.net/publication/266654651_mXSS_attacks_Attacking_well-secured_web-applications_by_using_innerHTML_mutations) (mXSS) vulnerability was discovered in TinyMCE’s core undo and redo functionality. When a carefully-crafted HTML snippet passes the XSS sanitisation layer, it is manipulated as a string by internal trimming functions before being stored in the undo stack. If the HTML snippet is restored from the undo stack, the combination of the string manipulation and reparative parsing by either the browser's native [DOMParser API](https://developer.mozilla.org/en-US/docs/Web/API/DOMParser) (TinyMCE 6) or the [SaxParser API](https://www.tiny.cloud/docs/api/tinymce.html/tinymce.html.saxparser/) (TinyMCE 5) mutates the HTML maliciously, allowing an XSS payload to be executed.\n​This vulnerability also impacts these related TinyMCE APIs and plugins:​\n* [`tinymce.Editor.getContent({ format: 'raw' })`](https://tiny.cloud/docs/tinymce/6/apis/tinymce.editor/#getContent)\n* [`tinymce.Editor.resetContent()`](https://tiny.cloud/docs/tinymce/6/apis/tinymce.editor/#resetContent)\n* [Autosave Plugin](https://tiny.cloud/docs/tinymce/6/autosave/)\n\n### Patches\nThis vulnerability has been patched in TinyMCE 5.10.8 and TinyMCE 6.7.1 by ensuring HTML is trimmed using node-level manipulation instead of string manipulation.\n\n### Fix\nTo avoid this vulnerability:\n* Upgrade to TinyMCE 5.10.8 or higher for TinyMCE 5.x.\n* Upgrade to TinyMCE 6.7.1 or higher for TinyMCE 6.x.\n\n### Acknowledgements\nTiny Technologies would like to thank Masato Kinugawa of [Cure53](https://cure53.de/) for discovering this vulnerability.\n\n### References\n* [TinyMCE 5.10.8 Release Notes](https://tiny.cloud/docs/release-notes/release-notes5108/)\n* [TinyMCE 6.7.1 Release Notes](https://tiny.cloud/docs/tinymce/6/6.7.1-release-notes/)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at <infosec@tiny.cloud>\n* Open an issue in the [TinyMCE repo](https://github.com/tinymce/tinymce/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-desc)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-45818","reference_id":"","reference_type":"","scores":[{"value":"0.01282","scoring_system":"epss","scoring_elements":"0.79905","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-45818"},{"reference_url":"https://github.com/tinymce/tinymce","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/tinymce/tinymce"},{"reference_url":"https://github.com/tinymce/tinymce/security/advisories/GHSA-v65r-p3vv-jjfv","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-12T15:36:29Z/"}],"url":"https://github.com/tinymce/tinymce/security/advisories/GHSA-v65r-p3vv-jjfv"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-45818","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-45818"},{"reference_url":"https://researchgate.net/publication/266654651_mXSS_attacks_Attacking_well-secured_web-applications_by_using_innerHTML_mutations","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-12T15:36:29Z/"}],"url":"https://researchgate.net/publication/266654651_mXSS_attacks_Attacking_well-secured_web-applications_by_using_innerHTML_mutations"},{"reference_url":"https://tiny.cloud/docs/release-notes/release-notes5108/#securityfixes","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-12T15:36:29Z/"}],"url":"https://tiny.cloud/docs/release-notes/release-notes5108/#securityfixes"},{"reference_url":"https://tiny.cloud/docs/tinymce/6/6.7.1-release-notes/#security-fixes","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-12T15:36:29Z/"}],"url":"https://tiny.cloud/docs/tinymce/6/6.7.1-release-notes/#security-fixes"},{"reference_url":"https://www.tiny.cloud/docs/api/tinymce.html/tinymce.html.saxparser","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.tiny.cloud/docs/api/tinymce.html/tinymce.html.saxparser"},{"reference_url":"https://github.com/advisories/GHSA-v65r-p3vv-jjfv","reference_id":"GHSA-v65r-p3vv-jjfv","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-v65r-p3vv-jjfv"},{"reference_url":"https://www.tiny.cloud/docs/api/tinymce.html/tinymce.html.saxparser/","reference_id":"tinymce.html.saxparser","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-12T15:36:29Z/"}],"url":"https://www.tiny.cloud/docs/api/tinymce.html/tinymce.html.saxparser/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/67240?format=json","purl":"pkg:composer/tinymce/tinymce@5.10.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-nkuw-ayka-wkcc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/tinymce/tinymce@5.10.8"},{"url":"http://public2.vulnerablecode.io/api/packages/67236?format=json","purl":"pkg:composer/tinymce/tinymce@6.7.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-nkuw-ayka-wkcc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/tinymce/tinymce@6.7.1"}],"aliases":["CVE-2023-45818","GHSA-v65r-p3vv-jjfv"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ahcw-dq3p-3ubq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50069?format=json","vulnerability_id":"VCID-fars-7p1j-uygy","summary":"Cross-site scripting vulnerability in TinyMCE alerts\n### Impact\nA cross-site scripting (XSS) vulnerability was discovered in the alert and confirm dialogs when these dialogs were provided with malicious HTML content. This can occur in plugins that use the alert or confirm dialogs, such as in the `image` plugin, which presents these dialogs when certain errors occur. The vulnerability allowed arbitrary JavaScript execution when an alert presented in the TinyMCE UI for the current user.\n\n### Patches\nThis vulnerability has been patched in TinyMCE 5.10.7 and TinyMCE 6.3.1 by ensuring HTML sanitization was still performed after unwrapping invalid elements.\n\n### Fix\nTo avoid this vulnerability:\n- Upgrade to TinyMCE 5.10.7 or higher for TinyMCE 5.x.\n- Upgrade to TinyMCE 6.3.1 or higher for TinyMCE 6.x.\n\n### Workaround\nTo reduce the impact of this vulnerability:\n- Ensure the the `images_upload_handler` returns a valid value as per the images_upload_handler documentation.\n\n### References\n- https://www.tiny.cloud/docs/release-notes/release-notes5107/#securityfixes\n- https://www.tiny.cloud/docs/tinymce/6/6.3-release-notes/#security-fixes\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [infosec@tiny.cloud](mailto:infosec@tiny.cloud)\n* Open an issue in the [TinyMCE repo](https://github.com/tinymce/tinymce/issues)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-23494","reference_id":"","reference_type":"","scores":[{"value":"0.01849","scoring_system":"epss","scoring_elements":"0.83312","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-23494"},{"reference_url":"https://github.com/tinymce/tinymce","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/tinymce/tinymce"},{"reference_url":"https://github.com/tinymce/tinymce/commit/6923d85eba6de3e08ebc9c5a387b5abdaa21150e","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/tinymce/tinymce/commit/6923d85eba6de3e08ebc9c5a387b5abdaa21150e"},{"reference_url":"https://github.com/tinymce/tinymce/commit/8bb2d2646d4e1a718fce61a775fa22e9d317b32d","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/tinymce/tinymce/commit/8bb2d2646d4e1a718fce61a775fa22e9d317b32d"},{"reference_url":"https://github.com/tinymce/tinymce/security/advisories/GHSA-gg8r-xjwq-4w92","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/tinymce/tinymce/security/advisories/GHSA-gg8r-xjwq-4w92"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23494","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23494"},{"reference_url":"https://www.tiny.cloud/docs/release-notes/release-notes5107/#securityfixes","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.tiny.cloud/docs/release-notes/release-notes5107/#securityfixes"},{"reference_url":"https://www.tiny.cloud/docs/tinymce/6/6.3-release-notes/#security-fixes","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.tiny.cloud/docs/tinymce/6/6.3-release-notes/#security-fixes"},{"reference_url":"https://www.tiny.cloud/docs/tinymce/6/file-image-upload/#images_upload_handler","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.tiny.cloud/docs/tinymce/6/file-image-upload/#images_upload_handler"},{"reference_url":"https://github.com/advisories/GHSA-gg8r-xjwq-4w92","reference_id":"GHSA-gg8r-xjwq-4w92","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gg8r-xjwq-4w92"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/86262?format=json","purl":"pkg:composer/tinymce/tinymce@5.10.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ahcw-dq3p-3ubq"},{"vulnerability":"VCID-nkuw-ayka-wkcc"},{"vulnerability":"VCID-png3-86at-ebdz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/tinymce/tinymce@5.10.7"},{"url":"http://public2.vulnerablecode.io/api/packages/86259?format=json","purl":"pkg:composer/tinymce/tinymce@6.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ahcw-dq3p-3ubq"},{"vulnerability":"VCID-nkuw-ayka-wkcc"},{"vulnerability":"VCID-png3-86at-ebdz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/tinymce/tinymce@6.3.1"}],"aliases":["CVE-2022-23494","GHSA-gg8r-xjwq-4w92"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fars-7p1j-uygy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41729?format=json","vulnerability_id":"VCID-g5d5-gpmn-67eu","summary":"Cross-site scripting vulnerability in TinyMCE\n### Impact\nA cross-site scripting (XSS) vulnerability was discovered in the schema validation logic of the core parser. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor using the clipboard or editor APIs. This malicious content could then end up in content published outside the editor, if no server-side sanitization was performed. This impacts all users who are using TinyMCE 5.8.2 or lower.\n\n### Patches\nThis vulnerability has been patched in TinyMCE 5.9.0 by ensuring schema validation was still performed after unwrapping invalid elements.\n\n### Workarounds\nTo work around this vulnerability, either:\n- Upgrade to TinyMCE 5.9.0 or higher\n- Manually sanitize the content using the `BeforeSetContent` event (see below)\n\n#### Example: Manually sanitize content\n```js\neditor.on('BeforeSetContent', function(e) {\n  var sanitizedContent = ...; // Manually sanitize content here\n  e.content = sanitizedContent;\n});\n```\n\n### Acknowledgements\nTiny Technologies would like to thank William Bowling for discovering this vulnerability.\n\n### References\nhttps://www.tiny.cloud/docs/release-notes/release-notes59/#securityfixes\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [infosec@tiny.cloud](mailto:infosec@tiny.cloud)\n* Open an issue in the [TinyMCE repo](https://github.com/tinymce/tinymce/issues)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-21908","reference_id":"","reference_type":"","scores":[{"value":"0.00517","scoring_system":"epss","scoring_elements":"0.66987","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-21908"},{"reference_url":"https://github.com/tinymce/tinymce","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/tinymce/tinymce"},{"reference_url":"https://github.com/tinymce/tinymce/security/advisories/GHSA-5h9g-x5rv-25wg","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-08T17:08:03Z/"}],"url":"https://github.com/tinymce/tinymce/security/advisories/GHSA-5h9g-x5rv-25wg"},{"reference_url":"https://www.tiny.cloud/docs/release-notes/release-notes59/#securityfixes","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-08T17:08:03Z/"}],"url":"https://www.tiny.cloud/docs/release-notes/release-notes59/#securityfixes"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/75357?format=json","purl":"pkg:composer/tinymce/tinymce@5.9.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-acey-2rby-93ec"},{"vulnerability":"VCID-ahcw-dq3p-3ubq"},{"vulnerability":"VCID-fars-7p1j-uygy"},{"vulnerability":"VCID-nkuw-ayka-wkcc"},{"vulnerability":"VCID-png3-86at-ebdz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/tinymce/tinymce@5.9.0"}],"aliases":["CVE-2024-21908","GHSA-5h9g-x5rv-25wg","GMS-2021-132","GMS-2021-163","GMS-2021-189"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-g5d5-gpmn-67eu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40871?format=json","vulnerability_id":"VCID-kbnj-qkmq-pfbu","summary":"Cross-site scripting vulnerability in TinyMCE\n### Impact\nA cross-site scripting (XSS) vulnerability was discovered in the core parser. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor via the clipboard or APIs. This impacts all users who are using TinyMCE 4.9.10 or lower and TinyMCE 5.4.0 or lower.\n\n### Patches\nThis vulnerability has been patched in TinyMCE 4.9.11 and 5.4.1 by improved HTML parsing and sanitization logic.\n\n### Workarounds\nThe workarounds available are:\n- upgrade to either TinyMCE 4.9.11 or TinyMCE 5.4.1\nor\n- enable the media plugin, which overrides the default parsing behaviour for iframes\nor\n- add the following workaround to update the parsing schema rules for iframes:\n\n#### Example: Change the default schema for iframes\n```js\nsetup: function(editor) {\n  editor.on('PreInit', function() {\n    editor.schema.getSpecialElements()['iframe'] = /</iframe[^>]*>/gi;\n  });\n}\n```\n\n### Acknowledgements\nTiny Technologies would like to thank George Steketee and Chris Davis at [Bishop Fox](https://www.bishopfox.com/) for discovering this vulnerability.\n\n### References\nhttps://www.tiny.cloud/docs/release-notes/release-notes54/#securityfixes\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in the [TinyMCE repo](https://github.com/tinymce/tinymce/issues)\n* Email us at [infosec@tiny.cloud](mailto:infosec@tiny.cloud)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-12648","reference_id":"","reference_type":"","scores":[{"value":"0.00283","scoring_system":"epss","scoring_elements":"0.51942","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-12648"},{"reference_url":"https://github.com/tinymce/tinymce","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/tinymce/tinymce"},{"reference_url":"https://github.com/tinymce/tinymce/commit/2b71c922214d388838d930806207a66c14e80f63","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/tinymce/tinymce/commit/2b71c922214d388838d930806207a66c14e80f63"},{"reference_url":"https://github.com/tinymce/tinymce/commit/696e43658dc9750ec24fdc4650bd2be9653daf5b","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/tinymce/tinymce/commit/696e43658dc9750ec24fdc4650bd2be9653daf5b"},{"reference_url":"https://github.com/tinymce/tinymce/pull/5843","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/tinymce/tinymce/pull/5843"},{"reference_url":"https://github.com/tinymce/tinymce/security/advisories/GHSA-vrv8-v4w8-f95h","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/tinymce/tinymce/security/advisories/GHSA-vrv8-v4w8-f95h"},{"reference_url":"https://www.tiny.cloud/docs/release-notes/release-notes54/#securityfixes","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.tiny.cloud/docs/release-notes/release-notes54/#securityfixes"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-12648","reference_id":"CVE-2020-12648","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-12648"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/453849?format=json","purl":"pkg:composer/tinymce/tinymce@4.9.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-acey-2rby-93ec"},{"vulnerability":"VCID-ahcw-dq3p-3ubq"},{"vulnerability":"VCID-fars-7p1j-uygy"},{"vulnerability":"VCID-g5d5-gpmn-67eu"},{"vulnerability":"VCID-nkuw-ayka-wkcc"},{"vulnerability":"VCID-png3-86at-ebdz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/tinymce/tinymce@4.9.11"},{"url":"http://public2.vulnerablecode.io/api/packages/453859?format=json","purl":"pkg:composer/tinymce/tinymce@5.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-acey-2rby-93ec"},{"vulnerability":"VCID-ahcw-dq3p-3ubq"},{"vulnerability":"VCID-fars-7p1j-uygy"},{"vulnerability":"VCID-g5d5-gpmn-67eu"},{"vulnerability":"VCID-nkuw-ayka-wkcc"},{"vulnerability":"VCID-png3-86at-ebdz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/tinymce/tinymce@5.4.1"}],"aliases":["CVE-2020-12648","GHSA-vrv8-v4w8-f95h"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kbnj-qkmq-pfbu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38065?format=json","vulnerability_id":"VCID-nkuw-ayka-wkcc","summary":"TinyMCE vulnerable to mutation Cross-site Scripting via special characters in unescaped text nodes\n### Impact\nA [mutation cross-site scripting](https://researchgate.net/publication/266654651_mXSS_attacks_Attacking_well-secured_web-applications_by_using_innerHTML_mutations) (mXSS) vulnerability was discovered in TinyMCE’s core undo/redo functionality and other APIs and plugins. Text nodes within specific parents are not escaped upon serialization according to the [HTML standard](https://html.spec.whatwg.org/multipage/parsing.html#serialising-html-fragments). If such text nodes contain a special character reserved as an internal marker, they can be combined with other HTML patterns to form malicious snippets. These snippets pass the initial sanitisation layer when the content is parsed into the editor body, but can trigger XSS when the special internal marker is removed from the content and re-parsed. Such mutations occur when serialised HTML content is processed before being stored in the undo stack, or when the following APIs and plugins are used:\n* [`tinymce.Editor.getContent({ format: 'raw' })`](https://tiny.cloud/docs/tinymce/6/apis/tinymce.editor/#getContent)\n* [`tinymce.Editor.resetContent()`](https://tiny.cloud/docs/tinymce/6/apis/tinymce.editor/#resetContent)\n* [Autosave Plugin](https://tiny.cloud/docs/tinymce/6/autosave/)\n\n### Patches\nThis vulnerability has been patched in TinyMCE 6.7.3 by:\n* ensuring that any unescaped text nodes which contain the special internal marker are emptied before removing the marker from the rest of the HTML, and\n* removing the special internal marker from content strings passed to `Editor.setContent`, `Editor.insertContent`, and `Editor.resetContent` APIs to prevent them from being loaded into the editor as user-provided content.\n\n### Fix\nTo avoid this vulnerability:\n- Upgrade to TinyMCE 6.7.3 or higher for TinyMCE 6.x.\n- Upgrade to TinyMCE 5.10.9 or higher for TinyMCE 5.x.\n\n### Acknowledgements\nTiny Technologies would like to thank Masato Kinugawa of [Cure53](https://cure53.de/) for discovering this vulnerability.\n\n### References\n- [TinyMCE 5.10.9 Release Notes](https://tiny.cloud/docs/release-notes/release-notes5109/)\n- [TinyMCE 6.7.3 Release Notes](https://tiny.cloud/docs/tinymce/6/6.7.3-release-notes/)\n\n### For more information\n\nEmail us at [infosec@tiny.cloud](mailto:infosec@tiny.cloud)\nOpen an issue in the [TinyMCE repo](https://github.com/tinymce/tinymce/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-desc)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-48219","reference_id":"","reference_type":"","scores":[{"value":"0.02076","scoring_system":"epss","scoring_elements":"0.84243","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-48219"},{"reference_url":"https://github.com/tinymce/tinymce","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/tinymce/tinymce"},{"reference_url":"https://github.com/tinymce/tinymce/releases/tag/5.10.9","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/tinymce/tinymce/releases/tag/5.10.9"},{"reference_url":"https://github.com/tinymce/tinymce/releases/tag/6.7.3","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/tinymce/tinymce/releases/tag/6.7.3"},{"reference_url":"https://github.com/tinymce/tinymce/security/advisories/GHSA-v626-r774-j7f8","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-29T17:41:49Z/"}],"url":"https://github.com/tinymce/tinymce/security/advisories/GHSA-v626-r774-j7f8"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-48219","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-48219"},{"reference_url":"https://tiny.cloud/docs/release-notes/release-notes5109","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://tiny.cloud/docs/release-notes/release-notes5109"},{"reference_url":"https://tiny.cloud/docs/release-notes/release-notes5109/","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-29T17:41:49Z/"}],"url":"https://tiny.cloud/docs/release-notes/release-notes5109/"},{"reference_url":"https://tiny.cloud/docs/tinymce/6/6.7.3-release-notes","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://tiny.cloud/docs/tinymce/6/6.7.3-release-notes"},{"reference_url":"https://tiny.cloud/docs/tinymce/6/6.7.3-release-notes/","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-29T17:41:49Z/"}],"url":"https://tiny.cloud/docs/tinymce/6/6.7.3-release-notes/"},{"reference_url":"https://github.com/advisories/GHSA-v626-r774-j7f8","reference_id":"GHSA-v626-r774-j7f8","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-v626-r774-j7f8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/71013?format=json","purl":"pkg:composer/tinymce/tinymce@5.10.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/tinymce/tinymce@5.10.9"},{"url":"http://public2.vulnerablecode.io/api/packages/71014?format=json","purl":"pkg:composer/tinymce/tinymce@6.7.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/tinymce/tinymce@6.7.3"}],"aliases":["CVE-2023-48219","GHSA-v626-r774-j7f8"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nkuw-ayka-wkcc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35096?format=json","vulnerability_id":"VCID-png3-86at-ebdz","summary":"TinyMCE XSS vulnerability in notificationManager.open API\n### Impact\nA [cross-site scripting (XSS)](https://owasp.org/www-community/attacks/xss/) vulnerability was discovered in TinyMCE’s Notification Manager API. The vulnerability exploits TinyMCE's unfiltered notification system, which is used in error handling.  The conditions for this exploit requires carefully crafted malicious content to have been inserted into the editor and a notification to have been triggered.  \n\nWhen a notification was opened, the HTML within the text argument was displayed unfiltered in the notification. The vulnerability allowed arbitrary JavaScript execution when an notification presented in the TinyMCE UI for the current user.  This issue could also be exploited by any integration which uses a TinyMCE notification to display unfiltered HTML content.\n\n### Patches\nThis vulnerability has been patched in TinyMCE 5.10.8 and TinyMCE 6.7.1 by ensuring that the HTML displayed in the notification is sanitized, preventing the exploit.\n\n### Fix\nTo avoid this vulnerability:\n\n* Upgrade to TinyMCE 5.10.8 or higher for TinyMCE 5.x.\n* Upgrade to TinyMCE 6.7.1 or higher for TinyMCE 6.x.\n\n### References\n* <https://tiny.cloud/docs/release-notes/release-notes5108/#securityfixes>\n* <https://tiny.cloud/docs/tinymce/6/6.7.1-release-notes/#security-fixes>\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at <infosec@tiny.cloud>\n* Open an issue in the [TinyMCE repo](https://github.com/tinymce/tinymce/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-desc)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-45819","reference_id":"","reference_type":"","scores":[{"value":"0.02191","scoring_system":"epss","scoring_elements":"0.84664","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-45819"},{"reference_url":"https://github.com/tinymce/tinymce","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/tinymce/tinymce"},{"reference_url":"https://github.com/tinymce/tinymce/security/advisories/GHSA-hgqx-r2hp-jr38","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-12T17:48:46Z/"}],"url":"https://github.com/tinymce/tinymce/security/advisories/GHSA-hgqx-r2hp-jr38"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-45819","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-45819"},{"reference_url":"https://tiny.cloud/docs/release-notes/release-notes5108/#securityfixes","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://tiny.cloud/docs/release-notes/release-notes5108/#securityfixes"},{"reference_url":"https://tiny.cloud/docs/tinymce/6/6.7.1-release-notes/#security-fixes","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://tiny.cloud/docs/tinymce/6/6.7.1-release-notes/#security-fixes"},{"reference_url":"https://github.com/advisories/GHSA-hgqx-r2hp-jr38","reference_id":"GHSA-hgqx-r2hp-jr38","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-hgqx-r2hp-jr38"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/67240?format=json","purl":"pkg:composer/tinymce/tinymce@5.10.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-nkuw-ayka-wkcc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/tinymce/tinymce@5.10.8"},{"url":"http://public2.vulnerablecode.io/api/packages/67236?format=json","purl":"pkg:composer/tinymce/tinymce@6.7.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-nkuw-ayka-wkcc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/tinymce/tinymce@6.7.1"}],"aliases":["CVE-2023-45819","GHSA-hgqx-r2hp-jr38"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-png3-86at-ebdz"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/tinymce/tinymce@4.8.4"}