tinymce 5.10.9

Direct Vulnerabilities

Known vulnerabilities in the tinymce package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Cross-site Scripting (XSS) tinymce is a web-based JavaScript HTML WYSIWYG editor control. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via unsanitized `data-mce-href`, `data-mce-src`, and `data-mce-style` attributes. An attacker can execute arbitrary scripts in the context of the user's browser by injecting malicious values that override safe attributes during serialization, bypassing validation. How to fix Cross-site Scripting (XSS)? Upgrade `tinymce` to version 7.9.3, 8.5.1 or higher.	<7.9.3>=8.0.0 <8.5.1
M Cross-site Scripting (XSS) tinymce is a web-based JavaScript HTML WYSIWYG editor control. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `mce:protected` comments. An attacker can execute arbitrary scripts in the context of affected users by injecting malicious content that bypasses sanitization and is executed when the content is restored. How to fix Cross-site Scripting (XSS)? Upgrade `tinymce` to version 7.9.3, 8.5.1 or higher.	<7.9.3>=8.0.0 <8.5.1
M Cross-site Scripting (XSS) tinymce is a web-based JavaScript HTML WYSIWYG editor control. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `media` plugin when handling crafted `data-mce-*` attributes. An attacker can execute arbitrary scripts in the context of the user's browser by injecting malicious content that is rendered when the affected plugin is enabled. This is only exploitable if the `media` plugin is enabled. How to fix Cross-site Scripting (XSS)? Upgrade `tinymce` to version 7.9.3, 8.5.1 or higher.	<7.9.3>=8.0.0 <8.5.1
M Cross-site Scripting (XSS) tinymce is a web-based JavaScript HTML WYSIWYG editor control. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) when using the `noneditable_regexp` option on an element whose content does not match the regex. An attacker can inject malicious scripts into HTML attributes that are executed when extracted from the editor. How to fix Cross-site Scripting (XSS)? Upgrade `tinymce` to version 6.8.4, 7.2.0 or higher.	<6.8.4>=7.0.0 <7.2.0
M Cross-site Scripting (XSS) tinymce is a web-based JavaScript HTML WYSIWYG editor control. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) when parsing `noscript` elements in the editor. An attacker can bypass sanitization by placing malicious code in `noscript` elements. How to fix Cross-site Scripting (XSS)? Upgrade `tinymce` to version 6.8.4, 7.2.0 or higher.	<6.8.4>=7.0.0 <7.2.0
M Cross-site Scripting (XSS) tinymce is a web-based JavaScript HTML WYSIWYG editor control. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via `iframe` elements inserted into the editor. Attacks are limited by same-origin browser protections, but downloading files is still possible. How to fix Cross-site Scripting (XSS)? Upgrade `tinymce` to version 7.0.0 or higher.	<7.0.0
M Cross-site Scripting (XSS) tinymce is a web-based JavaScript HTML WYSIWYG editor control. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) when loading SVG files via `object` or `embed` elements. How to fix Cross-site Scripting (XSS)? Upgrade `tinymce` to version 7.0.0 or higher.	<7.0.0

Vulnerability

Vulnerable Version

Cross-site Scripting (XSS)