AIKIDO-2026-10218
tinymce/tinymce is vulnerable to Cross-site Scripting (XSS)
66
Medium Risk
This Affects:
tinymce/tinymceTL;DR
Affected versions of the package are vulnerable to insufficient content sanitization in certain parsing scenarios. HTML-like content embedded in comments and legacy patterns may not be sanitized strictly enough when processed, potentially allowing cross-site scripting (xss) if malicious markup is rendered. The issue is mitigated by updating dependency versions and strengthening parsing logic to enforce stricter sanitization when xss_sanitization is enabled (default). Additionally, a new allow_html_in_comments configuration option provides explicit control over whether HTML-like syntax in comment nodes is permitted, reducing the risk of unintended script execution.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
tinymce/tinymce is vulnerable to Cross-site Scripting (XSS) in versions 0.0.1 - 7.9.1.
How to fix this
Upgrade the tinymce/tinymce library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant