TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via unsanitized data-mce-* attributes (data-m…

TinyMCE, an open source rich text editor, contains a stored cross-site scripting (XSS) vulnerability in versions prior to 5.11.1, 7.9.3, and 8.5.1. The vulnerability exists due to unsanitized data-mce-* attributes including data-mce-href, data-mce-src, and data-mce-style. Attackers can exploit this by injecting malicious values that override safe attributes during serialization, effectively bypassing validation mechanisms. This stored XSS vulnerability allows persistent script execution in the context of the application. The vulnerability has been patched in versions 5.11.1, 7.9.3, and 8.5.1 across the affected version branches.