Skip to content

DOC-3511: Add CVE IDs and missing credit to 8.5.1 release notes #4145

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kemister85 merged 1 commit into from
May 22, 2026
+4 −4
Merged

DOC-3511: Add CVE IDs and missing credit to 8.5.1 release notes #4145

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions modules/ROOT/pages/8.5.1-release-notes.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ include::partial$misc/admon-releasenotes-for-stable.adoc[]

A stored cross-site scripting (XSS) vulnerability was identified in the media plugin. Malicious scripts could be injected through crafted `data-mce-object` and `data-mce-p-*` attributes, which were executed when content was rendered. {productname} {release-version} ensures that content with `data-mce-object` and `data-mce-p-*` attributes is properly sanitized when the media plugin is in use.

CVE: _pending_
CVE: https://nvd.nist.gov/vuln/detail/CVE-2026-47761[CVE-2026-47761]

GHSA: https://github.com/tinymce/tinymce/security/advisories/GHSA-vg35-5wq7-3x7w[GitHub Advisories].

Expand All @@ -37,7 +37,7 @@ NOTE: Tiny Technologies would like to thank https://github.com/UncleJ4ck[Aymane

A stored cross-site scripting (XSS) vulnerability was identified through forged `mce:protected` comments. Attackers could bypass sanitization and inject scripts that executed when content was restored. This issue affected configurations using the `protect` option. {productname} {release-version} validates decoded `mce:protected` content against configured `protect` regex rules before restoring.

CVE: _pending_
CVE: https://nvd.nist.gov/vuln/detail/CVE-2026-47762[CVE-2026-47762]

GHSA: https://github.com/tinymce/tinymce/security/advisories/GHSA-v98h-vmpc-fpqv[GitHub Advisories].

Expand All @@ -48,8 +48,8 @@ NOTE: Tiny Technologies would like to thank https://github.com/he1d3n[Ivan Baben

A stored cross-site scripting (XSS) vulnerability was identified through unsanitized `data-mce-href`, `data-mce-src`, and `data-mce-style` attributes. Malicious values in these attributes could override safe attributes during serialization, bypassing validation. {productname} {release-version} strips unsafe `data-mce-*` attributes during parsing.

CVE: _pending_
CVE: https://nvd.nist.gov/vuln/detail/CVE-2026-47759[CVE-2026-47759]

GHSA: https://github.com/tinymce/tinymce/security/advisories/GHSA-q742-qvgc-gc2f[GitHub Advisories].

// Credits: Tadi Kadango (https://github.com/mtrill47) and Ivan Babenko (https://github.com/he1d3n) — pending permission to attribute
NOTE: Tiny Technologies would like to thank https://github.com/mtrill47[Tadi Kadango] (https://tadiwakadango.com/[website]) and https://github.com/he1d3n[Ivan Babenko (he1d3n)] for discovering this vulnerability.
Loading