TinyMCE 7 moved to GPLv2+ license. If that is applicable to your site, you can choose version in the TinyMCE extension's advanced setting, see Using Extensions.
Otherwise, if you still need to use v6 (MIT license). Make sure you use v2026.3 or newer.
The developer of TinyMCE probably will not fix v6.x, but you may use the latest version of v6 (i.e. v6.8.6 as of today) and add the following settings to your TinyMCE config:
sandbox_iframes: true,
convert_unsafe_embeds: true,
then the vulnerability should be blocked.