Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-xvww-6tkv-yqfs
Vulnerability ID VCID-xvww-6tkv-yqfs
Aliases CVE-2023-45819
GHSA-hgqx-r2hp-jr38
Summary TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s Notification Manager API. The vulnerability exploits TinyMCE's unfiltered notification system, which is used in error handling. The conditions for this exploit requires carefully crafted malicious content to have been inserted into the editor and a notification to have been triggered. When a notification was opened, the HTML within the text argument was displayed unfiltered in the notification. The vulnerability allowed arbitrary JavaScript execution when an notification presented in the TinyMCE UI for the current user. This issue could also be exploited by any integration which uses a TinyMCE notification to display unfiltered HTML content. This vulnerability has been patched in TinyMCE 5.10.8 and TinyMCE 6.7.1 by ensuring that the HTML displayed in the notification is sanitized, preventing the exploit. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.02191 https://api.first.org/data/v1/epss?cve=CVE-2023-45819
epss 0.02191 https://api.first.org/data/v1/epss?cve=CVE-2023-45819
epss 0.02191 https://api.first.org/data/v1/epss?cve=CVE-2023-45819
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-hgqx-r2hp-jr38
cvssv3.1 6.1 https://github.com/tinymce/tinymce
generic_textual MODERATE https://github.com/tinymce/tinymce
cvssv3.1 6.1 https://github.com/tinymce/tinymce/security/advisories/GHSA-hgqx-r2hp-jr38
cvssv3.1_qr MODERATE https://github.com/tinymce/tinymce/security/advisories/GHSA-hgqx-r2hp-jr38
generic_textual MODERATE https://github.com/tinymce/tinymce/security/advisories/GHSA-hgqx-r2hp-jr38
ssvc Track https://github.com/tinymce/tinymce/security/advisories/GHSA-hgqx-r2hp-jr38
cvssv3.1 6.1 https://nvd.nist.gov/vuln/detail/CVE-2023-45819
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2023-45819
cvssv3.1 6.1 https://tiny.cloud/docs/release-notes/release-notes5108/#securityfixes
generic_textual MODERATE https://tiny.cloud/docs/release-notes/release-notes5108/#securityfixes
cvssv3.1 6.1 https://tiny.cloud/docs/tinymce/6/6.7.1-release-notes/#security-fixes
generic_textual MODERATE https://tiny.cloud/docs/tinymce/6/6.7.1-release-notes/#security-fixes
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2023-45819
https://github.com/tinymce/tinymce
https://nvd.nist.gov/vuln/detail/CVE-2023-45819
GHSA-hgqx-r2hp-jr38 https://github.com/advisories/GHSA-hgqx-r2hp-jr38
GHSA-hgqx-r2hp-jr38 https://github.com/tinymce/tinymce/security/advisories/GHSA-hgqx-r2hp-jr38
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/tinymce/tinymce
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/tinymce/tinymce/security/advisories/GHSA-hgqx-r2hp-jr38
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-12T17:48:46Z/ Found at https://github.com/tinymce/tinymce/security/advisories/GHSA-hgqx-r2hp-jr38
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-45819
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://tiny.cloud/docs/release-notes/release-notes5108/#securityfixes
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://tiny.cloud/docs/tinymce/6/6.7.1-release-notes/#security-fixes
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.84754
EPSS Score 0.02191
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T17:22:23.818417+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2023/45xxx/CVE-2023-45819.json 38.6.0