Release Notes

6.8.7 (NES) - June 13, 2025

Notes

• This release backports remediations for several vulnerabilities.
  • CVE-2024-29881
  • CVE-2024-29203
• Full Version: 6.8.5-tinymce-6.8.7

Fixes

• convert_unsafe_embeds editor option is now defaulted to true.
  • This fixes a Medium Severity XSS vulnerability (CVE-2024-29881).
• sandbox_iframes editor option is now defaulted to true.
  • This fixes a Medium Severity XSS vulnerability (CVE-2024-29203).
• New sandbox_iframes_exclusions option that holds a list of URL host names to be excluded from iframe sandboxing when sandbox_iframes is set to true.
  • This fixes a Medium Severity XSS vulnerability (CVE-2024-29203).

6.8.6 (NES) - June 12, 2025

Notes

• This release contains no functional change from the OSS tinymce v6.8.5.
• This release mainlines OSS v6.8.5 into NES v6.8.6.
• Full Version: 6.8.5-tinymce-6.8.6