From 1fe23bf1b20e6537e1fa5a7fc7a245dbdba53015 Mon Sep 17 00:00:00 2001 From: Karl Kemister-Sheppard Date: Wed, 6 May 2026 09:53:36 +1000 Subject: [PATCH 1/5] TinyMCE 8.5.1 security release notes Add release notes page, nav entry, changelog entry, and release-notes table cell for the TinyMCE 8.5.1 security patch release covering TINY-14357, TINY-14353, and TINY-14333. CVE IDs, release date, and credits are placeholders pending assignment. --- modules/ROOT/nav.adoc | 4 +- modules/ROOT/pages/8.5.1-release-notes.adoc | 55 +++++++++++++++++++++ modules/ROOT/pages/changelog.adoc | 11 +++++ modules/ROOT/pages/release-notes.adoc | 8 ++- 4 files changed, 76 insertions(+), 2 deletions(-) create mode 100644 modules/ROOT/pages/8.5.1-release-notes.adoc diff --git a/modules/ROOT/nav.adoc b/modules/ROOT/nav.adoc index f9327d1f6f..e51fb096ff 100644 --- a/modules/ROOT/nav.adoc +++ b/modules/ROOT/nav.adoc @@ -408,7 +408,9 @@ ** xref:tinymce-and-cors.adoc[Cross-Origin Resource Sharing (CORS)] * Release information ** xref:release-notes.adoc[Release notes for {productname}] -// Remove un-used-for-this-particular-release entries. +*** {productname} 8.5.1 +**** xref:8.5.1-release-notes.adoc#overview[Overview] +**** xref:8.5.1-release-notes.adoc#security-fixes[Security fixes] *** {productname} 8.5.0 **** xref:8.5.0-release-notes.adoc#overview[Overview] **** xref:8.5.0-release-notes.adoc#accompanying-premium-plugin-changes[Accompanying Premium Plugin changes] diff --git a/modules/ROOT/pages/8.5.1-release-notes.adoc b/modules/ROOT/pages/8.5.1-release-notes.adoc new file mode 100644 index 0000000000..f13e734375 --- /dev/null +++ b/modules/ROOT/pages/8.5.1-release-notes.adoc @@ -0,0 +1,55 @@ += {productname} {release-version} +:release-version: 8.5.1 +:navtitle: {productname} {release-version} +:description: Release notes for {productname} {release-version} +:keywords: releasenotes, new, changes, bugfixes +:page-toclevels: 1 + +include::partial$misc/admon-releasenotes-for-stable.adoc[] + + +[[overview]] +== Overview + +{productname} {release-version} was released for {enterpriseversion} and {cloudname} on ,
^^, . These release notes provide an overview of the changes for {productname} {release-version}, including: + +* xref:security-fixes[Security fixes] + + +[[security-fixes]] +== Security fixes + +{productname} {release-version} includes fixes for the following security issues: + +=== Fixed stored XSS vulnerability using media plugin `data-mce-object` injection +// #TINY-14357 + +A stored cross-site scripting (XSS) vulnerability was identified in the media plugin. Malicious scripts could be injected through crafted `data-mce-object` and `data-mce-p-*` attributes, which were executed when content was rendered. {productname} {release-version} ensures that content with `data-mce-object` and `data-mce-p-*` attributes is properly sanitized when the media plugin is in use. + +CVE: _pending_ + +GHSA: https://github.com/tinymce/tinymce/security/advisories/GHSA-vg35-5wq7-3x7w[GitHub Advisories]. + +// Credits: _pending_ + +=== Fixed stored XSS vulnerability through `mce:protected` comments +// #TINY-14353 + +A stored cross-site scripting (XSS) vulnerability was identified through forged `mce:protected` comments. Attackers could bypass sanitization and inject scripts that executed when content was restored. This issue affected configurations using the `protect` option. {productname} {release-version} validates decoded `mce:protected` content against configured `protect` regex rules before restoring. + +CVE: _pending_ + +GHSA: https://github.com/tinymce/tinymce/security/advisories/GHSA-v98h-vmpc-fpqv[GitHub Advisories]. + +// Credits: _pending_ + +=== Fixed stored XSS vulnerability through `data-mce-` prefixed `src`, `href`, `style` attributes +// #TINY-14333 + +A stored cross-site scripting (XSS) vulnerability was identified through unsanitized `data-mce-href`, `data-mce-src`, and `data-mce-style` attributes. Malicious values in these attributes could override safe attributes during serialization, bypassing validation. {productname} {release-version} strips unsafe `data-mce-*` attributes during parsing. + +CVE: _pending_ + +GHSA: https://github.com/tinymce/tinymce/security/advisories/GHSA-q742-qvgc-gc2f[GitHub Advisories]. + +// Credits: _pending_ diff --git a/modules/ROOT/pages/changelog.adoc b/modules/ROOT/pages/changelog.adoc index 772f97308e..e1a214d433 100644 --- a/modules/ROOT/pages/changelog.adoc +++ b/modules/ROOT/pages/changelog.adoc @@ -4,6 +4,17 @@ NOTE: This is the {productname} Community version changelog. For information about the latest {cloudname} or {enterpriseversion} Release, see: xref:release-notes.adoc[{productname} Release Notes]. +== xref:8.5.1-release-notes.adoc[8.5.1 - YYYY-MM-DD] + +=== Security + +* Fixed stored XSS vulnerability using media plugin `data-mce-object` injection. +// #TINY-14357 +* Fixed stored XSS vulnerability through `mce:protected` comments. +// #TINY-14353 +* Fixed stored XSS vulnerability through `data-mce-` prefixed `src`, `href`, `style` attributes. +// #TINY-14333 + == xref:8.5.0-release-notes.adoc[8.5.0 - 2026-04-29] ### Added diff --git a/modules/ROOT/pages/release-notes.adoc b/modules/ROOT/pages/release-notes.adoc index 14c8a3677c..75dc5518d0 100644 --- a/modules/ROOT/pages/release-notes.adoc +++ b/modules/ROOT/pages/release-notes.adoc @@ -8,6 +8,12 @@ This section lists the releases for {productname} {productmajorversion} and the [cols="1,1"] |=== +a| +[.lead] +xref:8.5.1-release-notes.adoc#overview[{productname} 8.5.1] + +Release notes for {productname} 8.5.1 + a| [.lead] xref:8.5.0-release-notes.adoc#overview[{productname} 8.5.0] @@ -92,5 +98,5 @@ xref:8.0-release-notes.adoc#overview[{productname} 8.0.0] Release notes for {productname} 8.0.0 // Uncomment the dummy cell when the number of cells in the table is odd to ensure the table renders correctly. -// a| +a| |=== From 8d55a8805e8f1475a3a829292c3bd137627b79e2 Mon Sep 17 00:00:00 2001 From: Karl Kemister-Sheppard Date: Wed, 6 May 2026 13:11:11 +1000 Subject: [PATCH 2/5] Add security researcher credits to 8.5.1 release notes - GHSA-vg35-5wq7-3x7w: Aymane MAZGUITI and Ange Primiterra - GHSA-v98h-vmpc-fpqv: Ivan Babenko (he1d3n) - GHSA-q742-qvgc-gc2f: Tadi Kadango (pending permission) --- modules/ROOT/pages/8.5.1-release-notes.adoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/ROOT/pages/8.5.1-release-notes.adoc b/modules/ROOT/pages/8.5.1-release-notes.adoc index f13e734375..b55ad75dca 100644 --- a/modules/ROOT/pages/8.5.1-release-notes.adoc +++ b/modules/ROOT/pages/8.5.1-release-notes.adoc @@ -30,7 +30,7 @@ CVE: _pending_ GHSA: https://github.com/tinymce/tinymce/security/advisories/GHSA-vg35-5wq7-3x7w[GitHub Advisories]. -// Credits: _pending_ +NOTE: Tiny Technologies would like to thank https://github.com/UncleJ4ck[Aymane MAZGUITI] and https://github.com/ange-primiterra[Ange Primiterra] for discovering this vulnerability. === Fixed stored XSS vulnerability through `mce:protected` comments // #TINY-14353 @@ -41,7 +41,7 @@ CVE: _pending_ GHSA: https://github.com/tinymce/tinymce/security/advisories/GHSA-v98h-vmpc-fpqv[GitHub Advisories]. -// Credits: _pending_ +NOTE: Tiny Technologies would like to thank https://github.com/he1d3n[Ivan Babenko (he1d3n)] for discovering this vulnerability. === Fixed stored XSS vulnerability through `data-mce-` prefixed `src`, `href`, `style` attributes // #TINY-14333 @@ -52,4 +52,4 @@ CVE: _pending_ GHSA: https://github.com/tinymce/tinymce/security/advisories/GHSA-q742-qvgc-gc2f[GitHub Advisories]. -// Credits: _pending_ +// Credits: Tadi Kadango (https://github.com/mtrill47) — pending permission to attribute From d1ba3aff7b93cde595d4410d9044eb7fc3e7225a Mon Sep 17 00:00:00 2001 From: Karl Kemister-Sheppard Date: Wed, 20 May 2026 13:53:08 +1000 Subject: [PATCH 3/5] Add missing Ivan Babenko credit to data-mce- attribute XSS fix The GHSA-q742-qvgc-gc2f advisory credits both Tadi Kadango and Ivan Babenko, but the pending credit comment only listed Tadi Kadango. --- modules/ROOT/pages/8.5.1-release-notes.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/ROOT/pages/8.5.1-release-notes.adoc b/modules/ROOT/pages/8.5.1-release-notes.adoc index b55ad75dca..d5682272dc 100644 --- a/modules/ROOT/pages/8.5.1-release-notes.adoc +++ b/modules/ROOT/pages/8.5.1-release-notes.adoc @@ -52,4 +52,4 @@ CVE: _pending_ GHSA: https://github.com/tinymce/tinymce/security/advisories/GHSA-q742-qvgc-gc2f[GitHub Advisories]. -// Credits: Tadi Kadango (https://github.com/mtrill47) — pending permission to attribute +// Credits: Tadi Kadango (https://github.com/mtrill47) and Ivan Babenko (https://github.com/he1d3n) — pending permission to attribute From 672b511dad91053b291e72c9d623f300be90dfe4 Mon Sep 17 00:00:00 2001 From: Karl Kemister-Sheppard Date: Wed, 20 May 2026 14:04:19 +1000 Subject: [PATCH 4/5] Set 8.5.1 release date to May 20, 2026 --- modules/ROOT/pages/8.5.1-release-notes.adoc | 2 +- modules/ROOT/pages/changelog.adoc | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/ROOT/pages/8.5.1-release-notes.adoc b/modules/ROOT/pages/8.5.1-release-notes.adoc index d5682272dc..97604a6053 100644 --- a/modules/ROOT/pages/8.5.1-release-notes.adoc +++ b/modules/ROOT/pages/8.5.1-release-notes.adoc @@ -11,7 +11,7 @@ include::partial$misc/admon-releasenotes-for-stable.adoc[] [[overview]] == Overview -{productname} {release-version} was released for {enterpriseversion} and {cloudname} on ,
^^, . These release notes provide an overview of the changes for {productname} {release-version}, including: +{productname} {release-version} was released for {enterpriseversion} and {cloudname} on Tuesday, May 20^th^, 2026. These release notes provide an overview of the changes for {productname} {release-version}, including: * xref:security-fixes[Security fixes] diff --git a/modules/ROOT/pages/changelog.adoc b/modules/ROOT/pages/changelog.adoc index e1a214d433..c7a738d33b 100644 --- a/modules/ROOT/pages/changelog.adoc +++ b/modules/ROOT/pages/changelog.adoc @@ -4,7 +4,7 @@ NOTE: This is the {productname} Community version changelog. For information about the latest {cloudname} or {enterpriseversion} Release, see: xref:release-notes.adoc[{productname} Release Notes]. -== xref:8.5.1-release-notes.adoc[8.5.1 - YYYY-MM-DD] +== xref:8.5.1-release-notes.adoc[8.5.1 - 2026-05-20] === Security From 3189bdddc12dd14980f552476f16f7f2962e5e0b Mon Sep 17 00:00:00 2001 From: Karl Kemister-Sheppard Date: Wed, 20 May 2026 14:05:14 +1000 Subject: [PATCH 5/5] Fix day of week: Wednesday not Tuesday for May 20, 2026 --- modules/ROOT/pages/8.5.1-release-notes.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/ROOT/pages/8.5.1-release-notes.adoc b/modules/ROOT/pages/8.5.1-release-notes.adoc index 97604a6053..ced31e9c7f 100644 --- a/modules/ROOT/pages/8.5.1-release-notes.adoc +++ b/modules/ROOT/pages/8.5.1-release-notes.adoc @@ -11,7 +11,7 @@ include::partial$misc/admon-releasenotes-for-stable.adoc[] [[overview]] == Overview -{productname} {release-version} was released for {enterpriseversion} and {cloudname} on Tuesday, May 20^th^, 2026. These release notes provide an overview of the changes for {productname} {release-version}, including: +{productname} {release-version} was released for {enterpriseversion} and {cloudname} on Wednesday, May 20^th^, 2026. These release notes provide an overview of the changes for {productname} {release-version}, including: * xref:security-fixes[Security fixes]