Skip to content

TinyMCE 7.9.3 security release notes#4144

Merged
kemister85 merged 6 commits into
tinymce/7from
feature/security-release-notes/docs-7
May 20, 2026
Merged

TinyMCE 7.9.3 security release notes#4144
kemister85 merged 6 commits into
tinymce/7from
feature/security-release-notes/docs-7

Conversation

@kemister85
Copy link
Copy Markdown
Contributor

@kemister85 kemister85 commented May 20, 2026
edited
Loading

Summary

Release notes
Changelog

  • Add 7.9.3-release-notes.adoc with security fixes for TINY-14357, TINY-14353, TINY-14333
  • Update nav.adoc with 7.9.3 entry (Overview + Security fixes)
  • Update release-notes.adoc table with 7.9.3 cell
  • Update changelog.adoc with 7.9.3 security section
  • Add missing GHSA-mh5m-5hw4-5c69 (nested SVG XSS) entry to 7.1 release notes and changelog
  • Release date: Wednesday, May 20th, 2026

Security advisories covered

7.9.3

7.1 (retroactive)

  • GHSA-mh5m-5hw4-5c69 — Nested SVG sanitization bypass (patched in 7.1.0, advisory published today)

Test plan

  • Verify 7.9.3 release notes page renders correctly in preview
  • Verify 7.1 release notes security section updated correctly
  • Verify nav links resolve
  • Verify changelog entries format matches conventions

kemister85 added 6 commits May 6, 2026 09:55
@kemister85
TinyMCE 7.9.3 security release notes
c66229d 
Add release notes page, nav entry, changelog entry, and release-notes
table cell for the TinyMCE 7.9.3 security patch release covering
TINY-14357, TINY-14353, and TINY-14333.

CVE IDs, release date, and credits are placeholders pending assignment.
@kemister85
Add security researcher credits to 7.9.3 release notes
5480b20 
- GHSA-vg35-5wq7-3x7w: Aymane MAZGUITI and Ange Primiterra
- GHSA-v98h-vmpc-fpqv: Ivan Babenko (he1d3n)
- GHSA-q742-qvgc-gc2f: Tadi Kadango (pending permission)
@kemister85
Add missing Ivan Babenko credit to data-mce- attribute XSS fix
ce0f0aa 
The GHSA-q742-qvgc-gc2f advisory credits both Tadi Kadango and
Ivan Babenko, but the pending credit comment only listed Tadi Kadango.
@kemister85
Add GHSA-mh5m-5hw4-5c69 nested SVG XSS entry to 7.1 release notes
3c9190f 
The advisory for the nested SVG sanitization bypass was published but
never documented in the 7.1 release notes or changelog. Add the
security fix entry and credit maple3142 of DEVCORE.
@kemister85
Set 7.9.3 release date to May 20, 2026
2cbb42b
@kemister85
Fix day of week: Wednesday not Tuesday for May 20, 2026
f3ca15a
@kemister85 kemister85 requested review from a team and soritaheng as code owners May 20, 2026 04:11
ShiridiGandham
ShiridiGandham approved these changes May 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@ShiridiGandham ShiridiGandham left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@kemister85 kemister85 merged commit b59cd8b into tinymce/7 May 20, 2026
5 checks passed
@kemister85 kemister85 deleted the feature/security-release-notes/docs-7 branch May 20, 2026 04:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ShiridiGandham ShiridiGandham ShiridiGandham approved these changes

@kimwoodfield kimwoodfield kimwoodfield approved these changes

@MitchC1999 MitchC1999 MitchC1999 approved these changes

@soritaheng soritaheng Awaiting requested review from soritaheng soritaheng is a code owner

@EkimChau EkimChau Awaiting requested review from EkimChau EkimChau is a code owner automatically assigned from tinymce/documentation-team

@tiny-ben-tran tiny-ben-tran Awaiting requested review from tiny-ben-tran tiny-ben-tran is a code owner automatically assigned from tinymce/documentation-team

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@kemister85 @ShiridiGandham @kimwoodfield @MitchC1999