TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via unsanitized data-mce-* attributes (data-m…

TinyMCE open source rich text editor contains a stored XSS vulnerability in versions prior to 5.11.1, 7.9.3, and 8.5.1. The vulnerability exists in unsanitized data-mce-* attributes including data-mce-href, data-mce-src, and data-mce-style. Attackers can inject malicious values that override safe attributes during serialization, effectively bypassing validation mechanisms. This allows for stored cross-site scripting attacks that persist in the application. The vulnerability has been patched in the specified versions across all affected release branches.