TinyMCE 6 vulnerability

miriya.swayzie · November 27, 2025, 9:55am

since this morning it is no lpossible to create a project due this

$ composer audit
Found 1 ignored security vulnerability advisory affecting 1 package:
+-------------------+----------------------------------------------------------------------------------+
| Package           | tinymce/tinymce                                                                  |
| Severity          | medium                                                                           |
| Advisory ID       | PKSA-hdg2-6rxt-d4qn                                                              |
| CVE               | CVE-2024-29881                                                                   |
| Title             | TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files  |
|                   | through Object or Embed elements                                                 |
| URL               | https://github.com/advisories/GHSA-5359-pvf2-pw78                                |
| Affected versions | <7.0.0                                                                           |
| Reported at       | 2024-03-26T21:23:45+00:00                                                        |
| Ignore reason     | None specified                                                                   |
+-------------------+----------------------------------------------------------------------------------+

$ composer update -n --no-audit --ansi
Loading composer repositories with package information
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

Problem 1

* Root composer.json requires tinymce/tinymce ^6.8.4, found tinymce/tinymce\[6.8.4, 6.8.5, 6.8.6\] but these were not loaded, because they are affected by security advisories. To ignore the advisories, add ("PKSA-hdg2-6rxt-d4qn") to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.

temporary workaround inside project directory

composer config audit.ignore PKSA-hdg2-6rxt-d4qn

arbei · November 27, 2025, 1:25pm

TinyMCE 7 moved to GPLv2+ license. If that is applicable to your site, you can choose version in the TinyMCE extension's advanced setting, see Using Extensions.

Otherwise, if you still need to use v6 (MIT license). Make sure you use v2026.3 or newer.

The developer of TinyMCE probably will not fix v6.x, but you may use the latest version of v6 (i.e. v6.8.6 as of today) and add the following settings to your TinyMCE config:

sandbox_iframes: true,
convert_unsafe_embeds: true,

then the vulnerability should be blocked.