Stored XSS in TinyMCE via forged mce:protected comments
CVE-2026-47762 is a stored cross-site scripting vulnerability in TinyMCE affecting versions prior to 5.11.1, 7.9.3, and 8.5.1. The flaw is in TinyMCE’s handling of protected content when the optional protect configuration is used to preserve non-standard or server-side markup during editing. TinyMCE serializes matched content into internal comment placeholders, including mce:protected comments, so that protected blocks survive parsing and sanitization. The vulnerability arises because TinyMCE does not properly validate the authenticity of these serialized comment placeholders when converting them back into raw HTML. An attacker can store a forged mce:protected comment containing attacker-controlled payloads, which bypasses normal sanitization and is later decoded and restored as active markup when the content is viewed or edited.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
protect option enabled. When another user, including potentially privileged users such as administrators or content managers, loads or edits the malicious content, attacker-supplied script executes in the victim’s browser within the application’s origin. This can enable session theft, credential capture, unauthorized actions on behalf of the victim, access to sensitive application data available to the browser session, and compromise of administrative workflows. The provided CVSS context indicates no direct availability impact, but confidentiality and integrity impact can be high.Mitigation
If you can’t patch tonight, do this now.
protect option where feasible, restricting who can submit or modify content processed by TinyMCE, and applying additional server-side sanitization or validation to reject forged mce:protected comment patterns before storage or rendering. Because the issue is triggered when malicious stored content is restored, review and sanitize previously stored editor content if compromise is suspected.Remediation
Patch, then assume compromise.
protect option to ensure protected-content restoration still behaves as expected after patching.Exploits
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A TinyMCE document comment handler vulnerability where forged comments bypass sanitization during restoration of hidden data blocks, enabling script injection.
A stored cross-site scripting vulnerability in TinyMCE's handling of protected custom markup preservation patterns, allowing forged internal comment placeholders to be restored as executable markup and bypass sanitization.
A stored XSS vulnerability in TinyMCE via forged mce:protected comments that can bypass sanitization and execute injected scripts when content is restored.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.