Description
A lack of data validation vulnerability in the HTML export feature in Quill in allows Cross-Site Scripting (XSS).
This issue affects Quill: 2.0.3.
Recommendation
No fix is available yet. Followings are affected versions:
- = 2.0.3
References
Related Issues
- Astro vulnerable to reflected XSS via the server islands feature - CVE-2025-64764
- Lobe Chat Desktop vulnerable to Remote Code Execution via XSS in Chat Messages - CVE-2025-59417
- jsondiffpatch is vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin - CVE-2025-9910
- Parse Server vulnerable to stored XSS via file upload of HTML-renderable file types - CVE-2026-31868
- Tags:
- npm
- quill
Anything's wrong? Let us know Last updated on January 16, 2026