Joomla TinyMCE Editor Broken in Firefox 148 - How to Fix It

On February 26, 2026, Firefox 148 landed and immediately broke the TinyMCE editor in Joomla. Every version of Joomla that ships TinyMCE was affected: 4.4.x, 5.4.x, and 6.0.x. The editor flickers endlessly, reloading its iframe in an infinite loop. Content editing becomes impossible.

If you manage multiple Joomla sites and your content editors started reporting problems the same week, this is almost certainly the cause. Joomla 5.4.4 and 6.0.4 were released on March 31, 2026 with this fix included, along with six security patches. Updating to these versions is now the recommended solution. Hotfix packages for 5.4.3 and 6.0.3 are also still available from downloads.joomla.org if you cannot update immediately.

What went wrong with Joomla’s TinyMCE?

Firefox 148 removed a deprecated API called MouseEvent.mozInputSource. This was a Mozilla-specific property that let JavaScript distinguish between mouse clicks from different input devices (physical mouse, touch screen, pen). Mozilla marked it as deprecated years ago and finally removed it in Firefox 148.

TinyMCE’s initialization code relied on this property. During editor setup, TinyMCE checks whether the iframe containing the editor has finished loading. The code path that performed this check interacted with mozInputSource in a way that, once the property was removed, caused the iframe to never reach a completed state. TinyMCE would detect the iframe as incomplete, tear it down, and reinitialize, over and over.

The result: the editor loads its stylesheets repeatedly, the content area flickers, and you cannot type or interact with anything.

Which browsers and platforms are affected?

The bug is specific to Firefox:

• Firefox 148 on macOS (both Apple Silicon and Intel), Windows 11, and Ubuntu 24.04
• Firefox Developer Edition 149.0b1 (also affected, confirming this is a permanent API removal)
• Chrome, Safari, Edge: Unaffected. These browsers never implemented mozInputSource.

This means the issue only hits users and content editors who use Firefox. If your agency standardizes on Chrome, you might not have noticed. But if even one of your clients or their editors uses Firefox, their editing workflow broke overnight with no warning.

Which Joomla versions are affected?

Every version of Joomla that includes TinyMCE as the default editor:

• Joomla 4.4.x (confirmed on 4.4.14)
• Joomla 5.4.x (confirmed on 5.4.3)
• Joomla 6.0.x (confirmed on 6.0.3)

The bug is in TinyMCE’s JavaScript, not in Joomla’s PHP code. Any Joomla installation using the bundled TinyMCE editor is affected regardless of template, extensions, or server configuration.

What is the upstream TinyMCE issue?

The root cause sits in TinyMCE itself, tracked as GitHub issue #10947 on the TinyMCE repository. The fix required TinyMCE to switch from the removed MouseEvent.mozInputSource to the standard PointerEvent.pointerType API, which provides the same input-device detection using a cross-browser standard.

Joomla’s fix, tracked as PR #46889, patches the TinyMCE initialization script bundled with Joomla. The fix modifies a single file: build/media_source/plg_editors_tinymce/js/tinymce.es6.js.

How did Joomla respond?

The Joomla project handled this well. The issue was flagged on February 26, the same day Firefox 148 shipped. The fix was already merged into the development branches before the report was even filed, because the Joomla team had caught it during Firefox Developer Edition testing.

The Joomla Magazine published a detailed post-mortem titled “How we decided not to panic”, walking through the team’s decision process for handling the incident. Rather than rushing out emergency point releases, they chose to ship hotfix packages that site owners could install through Extension Manager while preparing proper releases on the normal timeline.

Credit where it’s due - the Joomla team got the response right on this one.

How do you fix the Joomla TinyMCE issue?

Upgrade all your Joomla sites from one dashboard with mySites.guru

Joomla 5.4.4 and 6.0.4 shipped on March 31, 2026 with the TinyMCE fix included permanently, plus six security patches covering SQL injection, XSS, arbitrary file deletion, and access control issues. Update to these versions if you haven’t already.

If you manage multiple Joomla sites, the mySites.guru Mass Upgrade tool is the fastest way to get every site patched. Filter your dashboard by Joomla version to find sites still on 5.4.3 or 6.0.3, select them all, and hit upgrade. Every site updates in one operation - no logging into individual admin panels, no downloading packages manually.

mySites.guru tracks Joomla core versions and extension versions across every connected site, so you can see at a glance which sites still need the update. The Mass Upgrade tool works for any Joomla point release, not just this one - whenever a security update drops, you can push it across your entire portfolio from one screen.

Fixing a single site manually

If you only manage one site, or don’t have a mySites.guru account yet, update through your Joomla admin panel:

1. Go to System > Joomla Update in your admin
2. You should see Joomla 5.4.4 or 6.0.4 available
3. Click Install the Update
4. Clear your browser cache and reload the article editor

Still on the hotfix? Time to update

If you applied the TinyMCE hotfix package for Joomla 5.4.3 or 6.0.3 earlier, updating to 5.4.4 / 6.0.4 supersedes it. The hotfix only patched TinyMCE’s JavaScript - the full release includes that same fix plus six security patches you need anyway. Use the Mass Package Installer or the Mass Upgrade tool to get all sites current.

Switch editors temporarily

Changing the default editor to CodeMirror or JCE avoids the problem entirely. Go to System > Global Configuration > Default Editor. This is a workaround, not a fix, and should be reversed once you update to 5.4.4 / 6.0.4.

What does this incident teach us?

Browser vendors remove deprecated APIs on their own schedule. They do not coordinate with every CMS and JavaScript library that might depend on those APIs. Mozilla deprecated mozInputSource years ago, but the actual removal still caught TinyMCE (and by extension, every CMS that bundles it) off guard.

This is not unique to Joomla. The Astroid Framework vulnerability showed the same pattern: a third-party component breaks, and agencies need to identify affected sites and deploy a fix across their entire portfolio fast. The only defense is staying current with updates and having a process to roll out fixes quickly.

For agencies managing client sites, incidents like this are exactly why building a morning check routine matters. A quick scan of your dashboard catches problems before your clients call you about them.

Further Reading

• Joomla 6.0.4 / 5.4.4 release announcement - The official release that includes the TinyMCE fix and six security patches
• Joomla 6.0.3 / 5.4.3 hotfix downloads - Hotfix packages for sites that cannot update to 5.4.4 / 6.0.4 yet
• “How we decided not to panic” - Joomla Magazine - The Joomla team’s post-mortem on their decision process
• GitHub Issue #47238 - The original bug report with community confirmation across platforms
• TinyMCE Issue #10947 - The upstream TinyMCE bug report about the mozInputSource removal
• Joomla PR #46889 - The merged fix that patches TinyMCE initialization

Edge cases like this are covered in our CMS updates guide.