Canvas runs TinyMCE v5 that has DOMPurify v2.3.8 vulnerabilities

12 views

Skip to first unread message

Skylar

unread,

Apr 6, 2026, 2:11:16 PM (3 days ago) Apr 6

to Canvas LMS Users

Hello,

Canvas uses TinyMCE v5, which uses DOMPurify v2.3.8, that has many vulnerabilities including CVE-2024-48910, CVE-2024-47875, CVE-2024-45801, and CVE-2025-26791.

sudo grep -ir "\"tinymce\":"

package.json: "tinymce": "^5",

packages/sanitize-html-with-tinymce/package.json: "tinymce": "^5"

packages/canvas-rce/package.json: "tinymce": "^5.9",

Unfortunately, even the latest v5.10.9 still has DOMPurify.version 2.3.8.

I've confirmed v8 of TinyMCE has this fixed. Does Canvas have plans to update TinyMCE to a newer version like v8.4.0?

Reply all

Reply to author

Forward

0 new messages