VulnerableCode Vulnerability Details - VCID-jp8n-482q-n7ct

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-jp8n-482q-n7ct

Essentials
Severities (5)
References (2)
Severity details (5)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-jp8n-482q-n7ct
Aliases	GHSA-h96f-fc7c-9r55 GMS-2021-191
Summary	Regex denial of service vulnerability in codesample plugin ### Impact A regex denial of service (ReDoS) vulnerability was discovered in a dependency of the `codesample` plugin. The vulnerability allowed poorly formed ruby code samples to lock up the browser while performing syntax highlighting. This impacts users of the `codesample` plugin using TinyMCE 5.5.1 or lower. ### Patches This vulnerability has been patched in TinyMCE 5.6.0 by upgrading to a version of the dependency without the vulnerability. ### Workarounds To work around this vulnerability, either: - Upgrade to TinyMCE 5.6.0 or higher - Disable the `codesample` plugin - Disable ruby code samples using the [codesample_languages](https://www.tiny.cloud/docs/plugins/opensource/codesample/#exampleusingcodesample_languages) setting - Override the PrismJS syntax highlighter to version 1.21.0 or higher using the [codesample_global_prismjs](https://www.tiny.cloud/docs/plugins/opensource/codesample/#codesample_global_prismjs) setting ### Acknowledgements Tiny Technologies would like to thank Erik Krogh Kristensen at GitHub for discovering this vulnerability. ### References https://www.tiny.cloud/docs/release-notes/release-notes56/#securityfixes ### For more information If you have any questions or comments about this advisory: * Open an issue in the [TinyMCE repo](http://github.com/tinymce/tinymce/issues) * Email us at [infosec@tiny.cloud](mailto:infosec@tiny.cloud)
Status	Published
Exploitability	None
Weighted Severity	None
Risk	None
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-400	Uncontrolled Resource Consumption
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3.1_qr	LOW	https://github.com/advisories/GHSA-h96f-fc7c-9r55
cvssv3.1_qr	LOW	https://github.com/tinymce/tinymce/security/advisories/GHSA-h96f-fc7c-9r55
generic_textual	LOW	https://github.com/tinymce/tinymce/security/advisories/GHSA-h96f-fc7c-9r55
generic_textual	LOW	https://www.npmjs.com/package/tinymce
generic_textual	LOW	https://www.tiny.cloud/docs/release-notes/release-notes56/#securityfixes

Reference id	Reference type	URL
		https://github.com/tinymce/tinymce/security/advisories/GHSA-h96f-fc7c-9r55
GHSA-h96f-fc7c-9r55		https://github.com/advisories/GHSA-h96f-fc7c-9r55

No exploits are available.

No EPSS data available for this vulnerability.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-12T08:03:39.402686+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/01/GHSA-h96f-fc7c-9r55/GHSA-h96f-fc7c-9r55.json	38.6.0