Safeguard
Open Source

TinyMCE npm Security: XSS History and Safe Configuration

The tinymce npm package is a capable rich-text editor with a long history of XSS advisories. Keeping it current and configuring it defensively is what keeps it safe.

Priya Mehta
DevSecOps Engineer
5 min read

The tinymce npm package is a widely used, actively maintained rich-text editor, but because it turns user input into rendered HTML it has a recurring history of cross-site scripting (XSS) advisories, so keeping it patched and configuring it defensively are the two things that keep it safe. TinyMCE is not unusually insecure. Any WYSIWYG editor lives at the exact intersection of "accept HTML from users" and "render HTML in a browser," which is the natural home of XSS. The job is to manage that risk, not to be surprised by it.

Why rich-text editors attract XSS

A rich-text editor exists to let users produce formatted HTML: bold, links, images, tables. That HTML then gets stored and shown to other users. If an attacker can smuggle a <script> tag, an event handler like onerror, or a javascript: URL through the editor and its sanitizer, they get script execution in a victim's session. TinyMCE ships a content sanitizer for exactly this reason, and most of its security advisories are cases where a clever payload bypassed that sanitizer. That is the pattern to internalize: the vulnerabilities are sanitizer-bypass bugs, and the fix is almost always a version upgrade.

A look at the advisory history

TinyMCE has published a steady stream of XSS advisories over the years, all following the same shape. A few verified examples:

  • CVE-2022-23494 allowed script execution through malicious HTML in alert and confirm dialogs. It was patched in TinyMCE 5.10.7 and 6.3.1 by ensuring sanitization still ran after unwrapping invalid elements.
  • CVE-2023-48219 affected content parsing and was patched in TinyMCE 5.10.9 by handling a special internal marker safely in unescaped text nodes.
  • CVE-2024-29203 involved XSS through iframe handling in versions before 6.8.0.
  • More recently, a 2026 batch of advisories covered sanitizer bypasses via nested SVGs and prefixed attributes, fixed in the 5.11.x, 7.9.x, and 8.5.x lines.

The consistent thread: each was a bypass of the built-in sanitizer, and each was resolved by shipping a fixed release. That is why version currency is the single most important control here.

Which version should you run?

Run a current, supported release and treat TinyMCE upgrades as security-relevant, not just feature updates. Because the advisory pattern is "sanitizer bypass fixed in release X," an out-of-date editor is very likely running with a known bypass.

Pin the version explicitly and let a scanner watch it:

{
  "dependencies": {
    "tinymce": "^7.9.3"
  }
}

Because rich-text editors are often pulled in transitively by admin panels, CMS themes, or form libraries, it is worth confirming the exact resolved version in your lockfile rather than trusting the range. An SCA tool such as Safeguard flags a TinyMCE version that sits below the fix line for a known advisory, including when it arrives as an indirect dependency.

Configure defensively, and never trust the client alone

Upgrading fixes known bypasses. Good configuration reduces the blast radius of the ones not yet discovered.

Keep the sanitizer on. Do not disable content filtering for convenience. Historically, options that allowed raw or unfiltered content were a common self-inflicted XSS source. If you must permit iframes or custom elements, allowlist specific tags and attributes rather than opening the gates.

Sanitize on the server, too. This is the big one. The editor runs in the browser, so its sanitization is client-side and can be bypassed entirely by an attacker who posts crafted HTML straight to your API. Always re-sanitize submitted HTML server-side with a hardened library (for example, a well-maintained HTML sanitizer for your backend language) before storing or rendering it. The editor's job is UX; your server's job is the security boundary.

Add a Content Security Policy. A strict CSP that forbids inline script is a strong second line of defense. Even if a payload slips through, a good CSP can stop it from executing. Our academy covers building a CSP that coexists with editors and analytics.

The short version

TinyMCE is a solid choice with a manageable risk profile if you do three things: run a current release, keep the sanitizer enabled and narrow, and re-sanitize on the server. The advisory history looks long, but it is really the same lesson repeated, which means the same discipline handles all of it.

FAQ

Is the tinymce npm package safe to use?

Yes, when kept current. TinyMCE is actively maintained and patches XSS sanitizer-bypass issues promptly. The risk comes from running an outdated version or disabling its content filtering, both of which are within your control.

Which TinyMCE version fixes the known XSS issues?

Each advisory names its fix line. Recent sanitizer-bypass issues were resolved in the 5.11.x, 7.9.x, and 8.5.x releases, and older CVEs were fixed in versions like 5.10.7, 5.10.9, and 6.3.1. The safe approach is to run the latest supported release rather than tracking individual patches.

Do I still need server-side sanitization if TinyMCE sanitizes content?

Yes. TinyMCE's sanitization runs in the browser and can be bypassed by posting crafted HTML directly to your API. Always re-sanitize submitted HTML server-side before storing or rendering it.

How can I reduce XSS risk beyond upgrading?

Keep the editor's content filter enabled with a narrow allowlist, sanitize on the server, and deploy a strict Content Security Policy that blocks inline script so that a payload slipping through the editor still cannot execute.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.