-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from TinyMCE's handling of 'object' and 'embed' elements containing SVG files. The commit diff shows the critical fix was adding a node filter in ParserFilters.ts that converts these elements to safer alternatives based on MIME type. Before this fix (versions <7.0.0), the register function did not include this filter, leaving the parser vulnerable to XSS via unprocessed object/embed elements. The addition of the convert_unsafe_embeds option and associated filtering logic in this function directly addresses the vulnerability, confirming its role in the exploit path.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| tinymce/tinymce | composer | < 7.0.0 | 7.0.0 |
| tinymce | npm | < 7.0.0 | 7.0.0 |
| TinyMCE | nuget | < 7.0.0 | 7.0.0 |
PHPPHPOngoing coverage of React2Shell