CVE-2024-21908

CVE-2024-21908: Cross-site scripting vulnerability in TinyMCE

Weakness CWE-79 · XSS
Published January 3, 2024
Last update November 28, 2025
View on NVD All CVEs

CVSS base score

What the vulnerability does

01Description

TinyMCE versions before 5.9.0 are affected by a stored cross-site scripting vulnerability. An unauthenticated and remote attacker could insert crafted HTML into the editor resulting in arbitrary JavaScript execution in another user's browser.

Key dates

02Disclosure timeline

January 3, 2024 CVE published
November 28, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-10790 Admin and Site Enhancements (ASE) <= 7.5.1 - Authenticated Stored Cross-Site Scripting via SVG CVE-2025-26563 WordPress Rocket Mobile Plugin <= 0.4.2 - Cross Site Scripting (XSS) vulnerability CVE-2024-43713 Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79) CVE-2025-59985 Junos Space: Purging Policy field is vulnerable to reflected cross-site script injection CVE-2026-46511 HAXcms: Mass Token Exfiltration and Cross-Tenant Hijack