Listen to this Post
CVE-2026-47762 is a stored cross‑site scripting (XSS) vulnerability in TinyMCE, an open source rich text editor. The flaw resides in how the editor handles specially crafted `mce:protected` comments when the `protect` option is enabled.
Normally, TinyMCE applies HTML sanitization to strip dangerous scripts. However, the `protect` feature allows administrators to define regex patterns that preserve certain content from being sanitized – a mechanism intended to keep embedded media or custom markup.
An attacker can forge a comment in the editor’s internal format: <!-- mce:protected ... -->. Inside this comment, they inject a malicious JavaScript payload encoded in a way that bypasses the default sanitizer.
When the content is later restored (e.g., loaded from the database or displayed to another user), TinyMCE parses the comment and reconstructs the inner HTML without re‑applying the usual XSS filters. The protected marker tells the editor to trust the content, so the attacker’s script is written directly into the DOM.
Because the payload is stored persistently (e.g., in a blog post, comment, or page), any victim who views the affected content will execute the script in their browser. This can lead to session hijacking, credential theft, or forced actions on behalf of the user.
The vulnerability affects all TinyMCE versions prior to 5.11.1, 7.9.3, and 8.5.1. If your application uses `protect` with custom regexes or relies on the editor’s default protection of certain patterns, you are at risk.
The root cause is insufficient validation of the data inside `mce:protected` blocks. TinyMCE’s sanitization step runs before these blocks are expanded, allowing an attacker to slip unescaped `
