Skip to content

DOC-3511: Add CVE IDs and missing credit to 7.9.3 and 7.1 release notes#4146

Merged
kemister85 merged 1 commit into
tinymce/7from
hotfix/7/DOC-3511
May 22, 2026
Merged

DOC-3511: Add CVE IDs and missing credit to 7.9.3 and 7.1 release notes#4146
kemister85 merged 1 commit into
tinymce/7from
hotfix/7/DOC-3511

Conversation

@kemister85
Copy link
Copy Markdown
Contributor

@kemister85 kemister85 commented May 21, 2026
edited
Loading

Summary

  • Replace CVE: _pending_ placeholders with assigned CVE IDs in 7.9.3 release notes
  • Replace CVE: _pending_ placeholder with assigned CVE ID in 7.1 release notes (nested SVG fix)
  • Add missing thank you note for Tadi Kadango and Ivan Babenko on GHSA-q742-qvgc-gc2f

CVE IDs

Advisory CVE Release notes
GHSA-vg35-5wq7-3x7w (media plugin) CVE-2026-47761 7.9.3
GHSA-v98h-vmpc-fpqv (mce:protected) CVE-2026-47762 7.9.3
GHSA-q742-qvgc-gc2f (data-mce- attributes) CVE-2026-47759 7.9.3
GHSA-mh5m-5hw4-5c69 (nested SVG) CVE-2026-47760 7.1

Test plan

  • Verify CVE links resolve to NVD
  • Verify credit note renders on 7.9.3 release notes page
  • Verify 7.1 release notes CVE link renders correctly

@kemister85
Add CVE IDs and missing credit to 7.9.3 and 7.1 security release notes
b6a329a 
- CVE-2026-47761 for media plugin data-mce-object injection (7.9.3)
- CVE-2026-47762 for mce:protected comments bypass (7.9.3)
- CVE-2026-47759 for data-mce- prefixed attribute override (7.9.3)
- CVE-2026-47760 for nested SVG sanitization bypass (7.1)
- Add thank you note for Tadi Kadango and Ivan Babenko (GHSA-q742-qvgc-gc2f)
@kemister85 kemister85 requested review from a team and soritaheng as code owners May 21, 2026 00:19
ShiridiGandham
ShiridiGandham approved these changes May 22, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@ShiridiGandham ShiridiGandham left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@kemister85 kemister85 merged commit 5824611 into tinymce/7 May 22, 2026
5 checks passed
@kemister85 kemister85 deleted the hotfix/7/DOC-3511 branch May 22, 2026 02:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ShiridiGandham ShiridiGandham ShiridiGandham approved these changes

@MitchC1999 MitchC1999 MitchC1999 approved these changes

@soritaheng soritaheng Awaiting requested review from soritaheng soritaheng is a code owner

@EkimChau EkimChau Awaiting requested review from EkimChau EkimChau is a code owner automatically assigned from tinymce/documentation-team

@tiny-ben-tran tiny-ben-tran Awaiting requested review from tiny-ben-tran tiny-ben-tran is a code owner automatically assigned from tinymce/documentation-team

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kemister85 @ShiridiGandham @MitchC1999