CVE-2026-47760: TinyMCE Cross-Site Scripting (XSS) vulnerability using sanitization bypass through nested SVGs
TinyMCE 6.8.x contains an XSS vulnerability caused by improper SVG namespace scope handling in the sanitizer. A crafted payload using nested elements can bypass attribute sanitization and execute arbitrary JavaScript.
References
Code Behaviors & Features
Detect and mitigate CVE-2026-47760 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →