TinyMCE 7.9.3
| These are the Tiny Cloud and TinyMCE Enterprise release notes. For information on the latest community version of TinyMCE, see the TinyMCE Changelog. |
Overview
TinyMCE 7.9.3 was released for TinyMCE Enterprise and Tiny Cloud on Wednesday, May 20th, 2026. These release notes provide an overview of the changes for TinyMCE 7.9.3, including:
Security fixes
TinyMCE 7.9.3 includes fixes for the following security issues:
Fixed stored XSS vulnerability using media plugin data-mce-object injection
A stored cross-site scripting (XSS) vulnerability was identified in the media plugin. Malicious scripts could be injected through crafted data-mce-object and data-mce-p- attributes, which were executed when content was rendered. TinyMCE 7.9.3 ensures that content with data-mce-object and data-mce-p- attributes is properly sanitized when the media plugin is in use.
CVE: pending
GHSA: GitHub Advisories.
| Tiny Technologies would like to thank Aymane MAZGUITI and Ange Primiterra for discovering this vulnerability. |
Fixed stored XSS vulnerability through mce:protected comments
A stored cross-site scripting (XSS) vulnerability was identified through forged mce:protected comments. Attackers could bypass sanitization and inject scripts that executed when content was restored. This issue affected configurations using the protect option. TinyMCE 7.9.3 validates decoded mce:protected content against configured protect regex rules before restoring.
CVE: pending
GHSA: GitHub Advisories.
| Tiny Technologies would like to thank Ivan Babenko (he1d3n) for discovering this vulnerability. |
Fixed stored XSS vulnerability through data-mce- prefixed src, href, style attributes
A stored cross-site scripting (XSS) vulnerability was identified through unsanitized data-mce-href, data-mce-src, and data-mce-style attributes. Malicious values in these attributes could override safe attributes during serialization, bypassing validation. TinyMCE 7.9.3 strips unsafe data-mce-* attributes during parsing.
CVE: pending
GHSA: GitHub Advisories.