[HIGH] TinyMCE Cross-Site Scripting (XSS) vulnerability using media plugin `data-mce-object` injection

PKSA-k4d6-bt7k-7ddp CVE-2026-47761 GHSA-vg35-5wq7-3x7w

Affected package: tinymce/tinymce

Affected version: >=8.0.0,<8.5.1|>=6.0.0,<7.9.3|<5.11.1

Reported by:
GitHub